Ask Your Question

i want to get http.response_for.uri in tshark

asked 2022-10-21 06:52:26 +0000 gravatar image

updated 2022-10-24 07:50:32 +0000

grahamb gravatar image

Are tshark questions here?

If I'm wrong, please let me know the URL where I can ask questions.

I want to get http.response_for.uri using tshark with below command.

However, even if I access the HP, the value is not returned.

Wireshark can get the value.

is the command wrong

tshark -i 4 -E separator=, -T fields -e http.response_for.uri
edit retag flag offensive close merge delete


There is no problem with this command...

7ACE gravatar image7ACE ( 2022-10-24 02:34:36 +0000 )edit

2 Answers

Sort by » oldest newest most voted

answered 2022-10-26 12:33:38 +0000

André gravatar image

updated 2022-10-26 12:43:30 +0000

When I try the command it does output http.response_for.uri during live capture. Are you capturing encrypted streams (https)?

Instead of using a field in the http response referring to the request, you can also use the field(s) from the actual http request:

tshark -i 4 -T fields -e http.request.full_uri -Y "http.request and http"

edit flag offensive delete link more


I tried the command you provided to access the yahoo article, but nothing is displayed.

By the way, URLs that are not accessed irregularly are displayed.

The URL is below. is used as a file server and no web service has been started.

Not even a gateway. gravatar image[email protected] ( 2022-10-28 06:54:49 +0000 )edit

I tried the command you provided to access the yahoo article, but nothing is displayed.

What happens if you try the command

tshark -i 4 -w {capture file}

where {capture file} is the pathname for some file in a directory in which you can create a file, let it run for a while until you know that it would have captured the traffic containing the request and reply, stop the capture by typing control-C and then run the commands

tshark -r {capture file} -T fields -e http.request.full_uri -Y "http.request and http"


tshark -r {capture file}

Does the first command show the field?

Does the second command show any HTTP traffic?

Guy Harris gravatar imageGuy Harris ( 2022-10-28 07:31:58 +0000 )edit

Maybe the traffic over port 8080 is not recognized as http. You can force it be adding the 'decode as' option:

 -d tcp.port==8080,http
André gravatar imageAndré ( 2022-10-28 08:09:34 +0000 )edit

answered 2022-10-21 09:10:27 +0000

grahamb gravatar image

You will probably need to enable 2-pass processing via the -2 flag.

edit flag offensive delete link more


What is 2-pass and -2 flag.

Please tell me specifically. gravatar image[email protected] ( 2022-10-23 23:06:00 +0000 )edit

It's described in the tshark man page right at the start of the options list.

grahamb gravatar imagegrahamb ( 2022-10-24 07:52:38 +0000 )edit

I ran it with "-2", but the following message is displayed. .

tshark: Live captures do not support two-pass analysis.

tshark -2 -i 4 -E separator=, -T fields -e http.response_for.uri gravatar image[email protected] ( 2022-10-25 05:32:26 +0000 )edit

Then you will have to capture the traffic and write it to a file, and then run tshark, reading the file, with -2.

Guy Harris gravatar imageGuy Harris ( 2022-10-25 06:13:33 +0000 )edit

It is necessary to get the URL in real time as a requirement.

How can I get the URL accessed in real time? gravatar image[email protected] ( 2022-10-26 07:11:10 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2022-10-21 06:52:26 +0000

Seen: 575 times

Last updated: Oct 28 '22