Are tshark questions here?
If I'm wrong, please let me know the URL where I can ask questions.
I want to get http.response_for.uri using tshark with below command.
However, even if I access the HP, the value is not returned.
Wireshark can get the value.
is the command wrong
tshark -i 4 -E separator=, -T fields -e http.response_for.uri
When I try the command it does output http.response_for.uri during live capture. Are you capturing encrypted streams (https)?
Instead of using a field in the http response referring to the request, you can also use the field(s) from the actual http request:
tshark -i 4 -T fields -e http.request.full_uri -Y "http.request and http"
I tried the command you provided to access the yahoo article, but nothing is displayed.
By the way, URLs that are not accessed irregularly are displayed.
The URL is below.
192.168.0.30 is used as a file server and no web service has been started.
Not even a gateway.
I tried the command you provided to access the yahoo article, but nothing is displayed.
What happens if you try the command
tshark -i 4 -w {capture file}
where {capture file} is the pathname for some file in a directory in which you can create a file, let it run for a while until you know that it would have captured the traffic containing the request and reply, stop the capture by typing control-C and then run the commands
tshark -r {capture file} -T fields -e http.request.full_uri -Y "http.request and http"
and
tshark -r {capture file}
Does the first command show the field?
Does the second command show any HTTP traffic?
Maybe the traffic over port 8080 is not recognized as http. You can force it be adding the 'decode as' option:
-d tcp.port==8080,http
You will probably need to enable 2-pass processing via the -2 flag.
What is 2-pass and -2 flag.
Please tell me specifically.
It's described in the tshark man page right at the start of the options list.
I ran it with "-2", but the following message is displayed. .
tshark: Live captures do not support two-pass analysis.
tshark -2 -i 4 -E separator=, -T fields -e http.response_for.uri
Then you will have to capture the traffic and write it to a file, and then run tshark, reading the file, with -2.
It is necessary to get the URL in real time as a requirement.
How can I get the URL accessed in real time?
Asked: 2022-10-21 06:52:26 +0000
Seen: 851 times
Last updated: Oct 28 '22
There is no problem with this command...