I captured a simple HTTP request and response in a pcap file. When showing the TCP stream with tshark:
tshark -r output.pcap -Y http -qz follow,tcp,ascii,0
I get the following results:
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 127.0.0.1:58748
Node 1: 127.0.0.1:4000
157
POST /payload HTTP/1.1
Host: localhost:4000
User-Agent: curl/8.1.2
Accept: */*
Content-Length: 4
Content-Type: application/x-www-form-urlencoded
bram
245
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 11
ETag: W/"b-qochATLyV9QKlqXy0HGxicmrkmQ"
Date: Tue, 14 Nov 2023 15:37:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5
{"bram":""}
===================================================================
Is it possible to get rid of the ASCII length (245) in such outputs?
I want to be able to reassemble TCP streams for full HTTP request/response pairs, and analyse them further in a different application.