How do I return just the Http header from tshark?

command-line sniffing wireshark

I'm using tshark to sniff my packets and I'm only concerned with the http header (preferably in the form its sent, but I'll take what I can get).

I tried using:

tshark tcp port 80 or tcp port 443 -V -R "http"

Which gave me the header, but also content (which I don't want as its a large amount of garbage to parse). I really only care about the header, is there any easy way to get just that (other than parsing the data myself).

Edit: I should qualify I also care about host/port so I can keep track of requests across multiple packets.


You can use the specific HTTP header display filters to show either just the request headers, just the response headers or both.

For just the request headers:

tshark tcp port 80 or tcp port 443 -V -R "http.request"

For just the response headers:

tshark tcp port 80 or tcp port 443 -V -R "http.response"

And for both the request and response headers:

tshark tcp port 80 or tcp port 443 -V -R "http.request || http.response"

Note: This does not filter out just the headers, just the packets that contain the headers, so you will likely still get some data, but the amount of data should be less than you would otherwise.


In fact you can! All previous answers were very close. All you need is -O flag which filters out all the information but HTTP.

tshark -O http -R http.request tcp port 80 or tcp port 443

I was able to combine the answer from @heavyd and run it through a sed filter I got from an SO article - (F.J.'s answer) to cook up this baby, which filters out just the headers :)

sudo tshark tcp port 80 or tcp port 443 -V -R "http.request || http.response" | sed -rn '/Hypertext Transfer Protocol/{:a;N;/    \\r\\n:?/{/.*/p;d};ba}' >> /tmp/filtered

My own filter version for easy reading:

tshark -V -R "tcp.port ==80 && (http.request || http.response)" | awk "/Hypertext Transfer Protocol/,/Frame/ { print };/Transmission Control Protocol/{print};/Internet Protocol/{print}" | grep -v Frame

This way I see only relevant IP and TCP information, without all the low level stuff, plus the complete HTTP info.

Related

How to convert from day of year and year to a date YYYYMMDD?
Why TextMate doesn't replace tabs with spaces?
Are there any autocompletion plugins for vim?
What is the point to 120Hz in 2D mode?
Kill process by name and owner?
how do i filter for only instance methods - not class methods
v-slot adding a new column name
Scraping with BeautifuldSoup to csv
How do you auto format code in Visual Studio on save?
Repeating a number based on position and value?
ValueError: Cannot assign must be a instance
using base R to convert list to dataframe while setting its class type and column names