I'm using tshark to read HTTP packets from .pcap file and print the reassembled TCP data to screen. The HTTP runs on port 1030 instead of the default 80. The command below decodes port 1030 as HTTP and applies some display filters for source ip, source port and HTTP method.
tshark -d tcp.port==1030,http -Y ip.src=='10.106.224.3' -Y tcp.srcport==1030 -Y http.request.method=='POST' -T fields -e tcp.reassembled.data -r 3_minute_20201028.pcapng.gz
This works fine for the .pcap file, sample output is bellow:
0a534f4150416374696f6e3a687474703a2f2f7777772e7665737461732e646b2f323030312f30342f617023537562736372697074696f6e43616c6c6261636b0d0a0d0a3c534f41502d454e563a456e76656c6f706520786d6c6e733a534f41502d454e563d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a534f41502d454e433d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e636f64696e672f2220786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652f223e3c534f41502d454e563a426f64793e3c41502d4d53473a537562736372697074696f6e43616c6c6261636b20786d6c6e733a41502d4d53473d22687474703a2f2f7777772e7665737461732e646b2f323030312f30342f6170223e3c5265706c79426173652052637654696d653d22323032302d30392d31365431353a32313a33372e38313922205265706c7954696d653d22323032302d31302d32395430333a30313a31312e3138322220436c69656e745265717565737448616e646c653d2235222053657269616c4e756d6265723d22333637303431382220526566726573683d2230222f3e3c2f41502d4d53473a537562736372697074696f6e43616c6c6261636b3e3c2f534f41502d454e563a426f64793e3c2f534f41502d454e563a456e76656c6f70653e
504f5354202f415020485454502f312e310d0a486f73743a2031302e3130362e3232342e3232300d0a436f6e74656e742d547970653a20746578742f786d6c3b20636861727365743d49534f2d383835392d310d0a436f6e74656e742d4c656e6774683a203439300d0a534f4150416374696f6e3a687474703a2f2f7777772e7665737461732e646b2f323030312f30342f617023537562736372697074696f6e43616c6c6261636b0d0a0d0a3c534f41502d454e563a456e76656c6f706520786d6c6e733a534f41502d454e563d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a534f41502d454e433d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e636f64696e672f2220786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652f223e3c534f41502d454e563a426f64793e3c41502d4d53473a537562736372697074696f6e43616c6c6261636b20786d6c6e733a41502d4d53473d22687474703a2f2f7777772e7665737461732e646b2f323030312f30342f6170223e3c5265706c79426173652052637654696d653d22323032302d30392d31365431353a32313a33382e38383022205265706c7954696d653d22323032302d31302d32395430333a30313a31312e3539352220436c69656e745265717565737448616e646c653d2239222053657269616c4e756d6265723d22333637303735362220526566726573683d2230222f3e3c2f41502d4d53473a537562736372697074696f6e43616c6c6261636b3e3c2f534f41502d454e563a426f64793e3c2f534f41502d454e563a456e76656c6f70653e
I'm trying to adopt the above command to run during live capture, I've switched -r ... to -i vestas_sim_br which is the name of the docker bridge interface. The full command is below:
tshark -d tcp.port==1030,http -Y ip.src=='192.168.20.11' -Y tcp.srcport==1030 -Y http.request.method=='POST' -T fields -e tcp.reassembled.data -i vestas_sim_br
The command run and seems to capture traffic, but all I see are blank lines and cursor moving down the screen. After I kill it with Ctrl+C it displays the number of packets captured.
Capturing on 'vestas_sim_br'
^C8 packets captured
The .pcap file had only 1 session that was kept open. The docker seems to create one session per full exchange. I'm not sure if this matters in this case.
Looking at live capture it Wireshark with the following display filters http and xml and ip.src==192.168.20.11 and tcp.srcport==1030, after applying Reassembled TCP Data as a column I can see it for each packet.
I'm sure what's going wrong. I appreciate the help.
