Tshark, how to configure logging to only http protocol?

R

r85qPZ1d3y2016-10-25 07:56:14

linux

r85qPZ1d3y, 2016-10-25 07:56:14

I ran into a problem, I can’t write through tshark to the dump file traffic containing only the http protocol, and everything else so that it is not written to the file.
The manuals, unfortunately, describe only how to read from an existing dump, removing unnecessary ones.
Tried running like this:
sudo tshark -i eth0 -w test.pcap -d tcp.port==80,http
like this:
sudo tshark -i eth0 "http" -w test.pcap
like this:
sudo tshark -i eth0 "http" - w test.pcap -f "protocol:http"
Unfortunately, it either crashes with an error, or again writes everything in test.pcap.
Who knows, tell me the command, which parameter should be added. I would be very grateful for help.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Rsa97, 2016-10-25
@Rsa97

sudo tshark -i eth0 -w test.pcap port 80
https://wiki.wireshark.org/CaptureFilters

D

Dmitry Shitskov, 2016-10-25
@Zarom

I guess you can't filter out the L7 protocol with tshark. Perhaps a suitable option would be to filter this traffic in iptables using l7 filter to isolate only HTTP, and then dump it through tshark / tcpdump.