Wireshark-users: Re: [Wireshark-users] tshark http -e options

From: Shain Singh <shain.singh@xxxxxxxxx>
Date: Sat, 25 May 2013 21:12:18 +1000
you can use "-e text" to grab the returned output.

tshark -G | grep http

will show you the valid http.* related filters

On 22 May 2013 06:39, Chris Datfung <chris.datfung@xxxxxxxxx> wrote:
> Hi,
> I want to use tshark to capture http requests and responses. I have having
> difficulty getting POST bodies and the HTML response body to appear. I'm
> using the following command:
> tshark -R "http.response or http.request" -T fields -E separator="|" -e
> frame.time_epoch -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e
> http.request.version -e http.request.method -e http.request -e http.host -e
> http.request.uri -e http.user_agent -e http.response.code -e
> http.content_type -e http.content_length -e http.location -e http.referer -e
> http.response.body
> Is there a URL that shows all possible -e flags? Can someone suggest how I
> can print a pipe deliminated output of the entire http request and response
> pair?
> Thanks,
> Chris
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Shaineel Singh
e: shain.singh@xxxxxxxxx
p: +61 422 921 951
w: http://buffet.shainsingh.com

"Too many have dispensed with generosity to practice charity" - Albert Camus