Hello all,
I am trying to display the content of websocket traffic between my machine and a server. The server is running an http server on port 8080. I am especially interested in displaying the full text content of websocket packets with text content.
To do so, I am using the following command:
tshark -Y websocket -P -V
However, I am facing several issues.
- First of all, if I don’t start the capture before the client connects to the server, nothing is being captured and displayed. There might be several issues here. Maybe if tshark does not see the connection, it can not guess that there is http traffic on port 8080. And also if tshark does not see the “HTTP upgrade”, it can not guess that there is websocket traffic. How can I decode this websocket traffic, even after starting tshark well after the client-server connection occurred?
- If I start tshark before the client-server connection occurs, it is ok. But, the text content of the websocket payload is truncated. So I do not see the entire content:
For example:
WebSocket
1... .... = Fin: True
.000 .... = Reserved: 0x0
.... 0001 = Opcode: Text (1)
0... .... = Mask: False
.111 1110 = Payload length: 126 Extended Payload Length (16 bits)
Extended Payload length (16 bits): 1092
Payload
Text [truncated]: {"_data":”0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
Line-based text data (1 lines)
[truncated]{"_data":”0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456
How can I print the entire content?
Thanks in advance for the help.
I have tried with tshark windows version 4.2.6 and tshark linux version 3.4.10.
Ben