Dear list,
I currently am using the following:
tshark -R "tcp.port == 80 and ip.addr == 123.123.123.123 and not
tcp.analysis.retransmission" -r capture.pcap -T fields -E
quote=s -E header=y -e frame.number -e ip.len -e tcp.len -e ip.src -e
http.request.uri -E separator=","
I'd like to include an ASCII representation of the TCP payload (just
the first 30 bytes) on each line too, so that I can visually spot the
HTTP traffic, and see parts of the response.
Is that possible?
I'm using tshark 0.99.6rel-5.
Much thanks,
Nick