This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Print only the content of a http response with tshark

0

Is tshark able to print only the content of a http response? With "content of a http response" I mean that part, that is normally displayed by the web browser. When I use the command

tshark -i lo -x -R 'http.response.code == 200' -l

the response can occur in several different places:

  1. It can be part of the output that follows the heading "Reassembled TCP". That's that case when I request http://httpbin.org/html.
  2. It can be part of the output that follows the heading "De-chunked entity body". That's the case when I request httpbin.org/stream-bytes/10.
  3. It can be part of the output that follows the heading "Uncompressed entity body". That's the case when I request httpbin.org/gzip.
  4. It can be part of the output that does not follow a heading. That's the case when I request http://httpbin.org/deny.

I created a demo for each of these cases at http://pastebin.com/uEWuHagu

In the first case I would like to get that part of "Reassembled TCP" that follows <!DOCTYPE html.

In the second case I would like to get everything that follows the line "De-chunked entity body (10 bytes):"

In the third case I would like to get everything that follows the line "Uncompressed entity body (462 bytes):"

In the fourth case I would like to get everything that belongs to the ascii image and everything that follows that image.

I am not sure if another situation is possible. I would like to get the described response in any situation. It would be fantastic if that is possible.

asked 27 Jan '15, 17:57

miachino's gravatar image

miachino
11225
accept rate: 0%

edited 28 Jan '15, 05:39

One Answer:

0

You can get the de-chunked entity body one by printing the "data" field, like this:

tshark -i lo -Y 'http.response.code == 200' -T fields -e data

For the others, I don't know of a way to get them with tshark alone, but you can use a Lua script to get them.

For example the script provided in this link's answer, with the following tshark command:

# the following is all one command line:
tshark -i lo -Y 'http.response.code == 200' -T fields -e extractor.string -X lua_script:extract.lua -X lua_script1:data-text-lines -X lua_script1:json

I can explain how to modify that script to get the data field as well, if you wish.

answered 28 Jan '15, 20:35

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

@Hadriel Thanx for your answer. Unfortunately I have no idea about Lua. Therefore I am not even able to read your script that you wrote as a reply to the other question. Because of that I am at least sceptical that I would understand your explanations. But of course it would be very kind of you if we could give it a try.

(31 Jan '15, 10:35) miachino