This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can you change the http header view

0

Hi, When viewing HTTP Headers I notice its in tree format and copy pasting is somewhat trivial.

Its no big deal at all, but I was just wondering is there a way to view the response headers in "raw" text?

Like I could highlight and copy paste. I actually dont even want to copy paste I just want it to be in text mode the way a browser sees it, like no extra data at the end after the last \r\n. Even maybe instead of \r\n just a newline and instead of putting the x-www-form-urlencoded data way way at the bottom on a new tree node just have it appear the way it does in the raw header body?

Im not sure if Ive been clear with my question :S let me know and i will try to make it more clear if not.

THANKS!

asked 22 May '14, 16:19

leathan's gravatar image

leathan
6112
accept rate: 0%


One Answer:

0

Use TCP "Follow Stream" and the resulting dialog gives you the raw text which you can copy and paste elsewhere. Note the dialog contains all the contents of that particular stream, not just the headers.

answered 23 May '14, 02:22

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

It would make your comment even more perfect if you could explain how to keep this type of view up for the entire conversation between my server. When I enter this view it shows me the entire stream UP TILL THAT POINT. and will not refresh or continue the stream with my server. Not a big problem I just use tcp.stream eq # || http and open up a new "view stream" window. I notice that this is because its actually a new stream, but maybe you can add how to leave this view up for the entire session between a specific server? What I mean by this is have the window you showed me continually update its content in real time! Either way you have been more than helpful. this was exactly what I wanted.

(23 May '14, 05:32) leathan
1

Unfortunately, the "entire conversation" for http streams is usually carried over several TCP streams, and the "Follow TCP Stream" functionality only works for a single stream at a time, and, as you mention, only works for the stream contents in the capture at that point.

Your other option is to use tshark at the command prompt to display only http headers. There may be existing questions on that.

(23 May '14, 06:04) grahamb ♦