Answer the question
In order to leave comments, you need to log in
Tshark, how to configure logging to only http protocol?
I ran into a problem, I can’t write through tshark to the dump file traffic containing only the http protocol, and everything else so that it is not written to the file.
The manuals, unfortunately, describe only how to read from an existing dump, removing unnecessary ones.
Tried running like this:
sudo tshark -i eth0 -w test.pcap -d tcp.port==80,http
like this:
sudo tshark -i eth0 "http" -w test.pcap
like this:
sudo tshark -i eth0 "http" - w test.pcap -f "protocol:http"
Unfortunately, it either crashes with an error, or again writes everything in test.pcap.
Who knows, tell me the command, which parameter should be added. I would be very grateful for help.
Answer the question
In order to leave comments, you need to log in
sudo tshark -i eth0 -w test.pcap port 80
https://wiki.wireshark.org/CaptureFilters
I guess you can't filter out the L7 protocol with tshark. Perhaps a suitable option would be to filter this traffic in iptables using l7 filter to isolate only HTTP, and then dump it through tshark / tcpdump.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question