This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to get untruncated text from tshark with chunked, compressed http traffic

0

I have some http traffic which happens to be served compressed, chunked and encrypted. I have the client master-secrete and CLIENT_RANDOM, so I am using that to decrypt the traffic.

I'm using a bleeding edge build (win32-2.1.0-132-g3ef2fd6) as it seems to supports combined dechunking, decompression and decryption well. Everything works in the wireshark GUI, but it would be convenient to be able to export the plain text of the HTTP request and response using tshark. I can get the full ASCII text in the GUI by going:

Uncompressed Entity Body -> Line-based text data -> right click -> Copy -> ...As printable text

However, with tshark, I can only get the first few bytes of that text by using:

tshark.exe -Y "http" -o ssl.keylog_file:"{key_file}" -r "{input_file}" -T fields -e text

Which returns something like:

Source GeoIP: Unknown,Destination GeoIP: Unknown,GET / HTTP/1.1\r\n,\r\n
Source GeoIP: Unknown,Destination GeoIP: Unknown,HTTP/1.1 200 OK\r\n,\r\n,HTTP chunked response,Data
 chunk (7516 octets),Data chunk (8192 octets),Data chunk (4307 octets),End of chunked encoding,\r\n,
Content-encoded entity body (gzip): 20015 bytes -> 107148 bytes, [truncated] The first few bytes of the http
response. If I keep going on and on and on and on and on and on and on and on and on and on and on

Is there a way to get the non-truncated text using tshark?

asked 16 Oct '15, 14:05

dishesmolasse's gravatar image

dishesmolasse
6112
accept rate: 0%


One Answer:

0

Please see my answer to a similar question:

https://ask.wireshark.org/questions/43023/want-to-use-tshark-to-decode-a-specific-packet-and-do-not-truncate-lines

I did not try, but maybe the 'follow' option might work as well in 2.1.0 incl. decompression (as I said, not tested, just speculation).

tshark -nr input.pcap ... -z follow,tcp,ascii,1

Please replace 1 with the correct TCP stream number.

Regards
Kurt

answered 19 Oct '15, 16:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Oct '15, 16:49