Displaying websocket traffic content

asked 2024-08-09 08:05:00 +0000

BigBen gravatar image

updated 2024-08-09 08:06:33 +0000

Hello all,

I am trying to display the content of websocket traffic between my machine and a server. The server is running an http server on port 8080. I am especially interested in displaying the full text content of websocket packets with text content.

To do so, I am using the following command: 

tshark -Y websocket -P -V

However, I am facing several issues.

  • First of all, if I don’t start the capture before the client connects to the server, nothing is being captured and displayed. There might be several issues here. Maybe if tshark does not see the connection, it can not guess that there is http traffic on port 8080. And also if tshark does not see the “HTTP upgrade”, it can not guess that there is websocket traffic. How can I decode this websocket traffic, even after starting tshark well after the client-server connection occurred?
  • If I start tshark before the client-server connection occurs, it is ok. But, the text content of the websocket payload is truncated. So I do not see the entire content, I think a bit less than 250 characters is displayed.

For example: 

WebSocket
1... .... = Fin: True
.000 .... = Reserved: 0x0
.... 0001 = Opcode: Text (1)
0... .... = Mask: False
.111 1110 = Payload length: 126 Extended Payload Length (16 bits)
Extended Payload length (16 bits): 1092
Payload
    Text [truncated]: {"_data":”0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
Line-based text data (1 lines)
     [truncated]{"_data":”0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456

How can I print the entire content?

Thanks in advance for the help.

I have tried with tshark windows version 4.2.6 and tshark linux version 3.4.10.

Ben

edit retag flag offensive close merge delete

Comments

Can you provide a sample capture that is missing the “HTTP upgrade”?


I'm not sure if doing a "Decode as...":
-d <layer type>==<selector>,<decode-as protocol>
and a -z follow,prot,mode,filter[,range] might provide the output you're looking for.
Also in the Ask question linked below there is information about a 3rd party utility to extract Websocket data.
Is there a way to show non truncated data with tshark without recompiling?

Chuckc gravatar imageChuckc ( 2024-08-09 12:50:31 +0000 )edit

I have tried: tshark -Y websocket -P -V -d tcp.port==8080,http2 but that did not change anything.

Also I can not use -z follow,prot,mode,filter[,range] since I want to show all websocket content from a live capture.

I can not provide a sample capture easily since my company will not allow it. But I'll see what can be done.

BigBen gravatar imageBigBen ( 2024-08-09 15:21:22 +0000 )edit

I have tried: tshark -Y websocket -P -V -d tcp.port==8080,http2

If your capture is after the HTTP Upgrade message, then setting the port to HTTP2 will not help because there is no HTTP(2) on the stream. You can manually set the TCP port to websocket in such a case:

tshark -Y websocket -P -V -d tcp.port==8080,websocket

Though that will not work for any streams where the HTTP/2 is present.

You can also enable the Websocket over TCP heuristic dissector. This is disabled by default because it creates a lot of false positives (Websocket does not have a lot of uniquely identifying features), but since you know Websocket is there:

tshark --enable-heuristic websocket_tcp

The Websocket over TCP heuristic dissector is not in version 3.4.10, which is too old and no longer supported.

johnthacker gravatar imagejohnthacker ( 2024-08-10 00:39:59 +0000 )edit

As far as the truncated data, any of the other types of outputs (-T ek|fields|json|jsonraw|pdml|ps|psml) will display information without truncation, as will adding a column to display the websocket.payload.text field. (That field only exists in 4.0.8 and later - filter reference - there are some fields like data that should work in other versions.)

johnthacker gravatar imagejohnthacker ( 2024-08-10 00:44:05 +0000 )edit

So I've installed the latest version TShark 4.3.1 to make sure I am up-to-date:

  • tshark -Y websocket -P -V -d tcp.port==8080,websocket does not work: Protocol "websocket" isn't valid for layer type "tcp.port"

  • tshark --enable-heuristic websocket_tcp does not work: No such protocol websocket_tcp, can't enable

  • Adding a column to display the websocket.payload.text field, does not work: This field only existed in version 4.0.8 to 4.2.6.

  • Any of the other types of outputs will display information without truncation: That's not correct. With json, jsonraw, pdml, ps the values are still truncated. For ek, however, the values do not seem truncated (even though it says [truncated]).

All this is very confusing.

BigBen gravatar imageBigBen ( 2024-08-12 11:34:56 +0000 )edit
see more comments