How to suppress ASCII length when using tshark to output TCP streams?

asked 2023-11-15 14:01:16 +0000

BramK
1 ●1 ●1

I captured a simple HTTP request and response in a pcap file. When showing the TCP stream with tshark:

tshark -r output.pcap -Y http -qz follow,tcp,ascii,0

I get the following results:

===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 127.0.0.1:58748
Node 1: 127.0.0.1:4000
157
POST /payload HTTP/1.1
Host: localhost:4000
User-Agent: curl/8.1.2
Accept: */*
Content-Length: 4
Content-Type: application/x-www-form-urlencoded

bram
    245
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 11
ETag: W/"b-qochATLyV9QKlqXy0HGxicmrkmQ"
Date: Tue, 14 Nov 2023 15:37:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5

{"bram":""}
===================================================================

Is it possible to get rid of the ASCII length (245) in such outputs?

I want to be able to reassemble TCP streams for full HTTP request/response pairs, and analyse them further in a different application.

edit retag flag offensive close merge delete

Comments

Can you post the PCAP of this packet somewhere?

hugo.vanderkooij ( 2023-11-15 14:21:24 +0000 )edit

thanks for your reply. here is the pcap file: https://we.tl/t-7QIqLOuGsp

BramK ( 2023-11-15 14:33:01 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

How to suppress ASCII length when using tshark to output TCP streams?

Comments

1 Answer

Your Answer

Question Tools

Stats

Related questions

How to suppress ASCII length when using tshark to output TCP streams? edit

Comments

1 Answer

Your Answer

Question Tools

Stats

Related questions

How to suppress ASCII length when using tshark to output TCP streams?