Can I have wireshark show only the upper layers of an HTTP exchange?

Question

I am debugging an HTTP REST interface where both the client and the server are written in java (i.e. no JavaScript and not running off a browser)

In order to visualize an HTTP exchange, I can click on a packet and follow a TCP stream, which will show me only the HTTP layer, but I have to do this on a per TCP stream basis.

I have a feeling I'm not using the right tool (wireshark) or I'm using it wrong. How do you guys do it?

Note: I know about firebug and similar tools, but remember I do not have a browser involved in all this

Note2: I hope the question's useful to more people, so all platforms are welcome. I however personally would need something in Linux

Answer 1

Fiddler is a must have for web developers but still works for stand alone apps that make web requests (with a little tweaking, it even does HTTPS). It sets itself up as a proxy and gives you a lot of control over your traffic including editing it on the fly, emulating dial up speeds, setting breakpoints on particular types of traffic, and several syntax views for at least JSON and XML (maybe others? those are the only views I use).

Answer 2

Bro is an apt tool for your use case. It automatically reassembles the TCP stream and runs application-layer (e.g., HTTP) parsers on top. Bro works well on Linux has found wide adoption in the network measurement and network security community.

In your case, run Bro as follows:

bro -C -r <trace>

and inspect the resulting http.log. It should look somewhat like this (trimmed on the right end):

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   http
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       trans_depth     method  host    uri     referrer        user_agent      request_body_len        response_body_len       status_code     status_msg
#types  time    string  addr    port    addr    port    count   string  string  string  string  string  count   count   count   string  count   string  string  table[enum]     string  string  table[string]   string  string  file
1258535653.087137       an7i43AgB5h     192.168.1.104   1191    65.54.95.64     80      1       HEAD    download.windowsupdate.com      /v9/windowsupdate/redir/muv4wuredir.cab?0911180916      -       Windows-Update-Agent    0       0
1258535655.525107       qPXo2uv96I5     192.168.1.104   1192    65.55.184.16    80      1       HEAD    www.update.microsoft.com        /v9/windowsupdate/selfupdate/wuident.cab?0911180916     -       Windows-Update-Agent    0       0
1258535656.495997       9vr3tgviuu6     192.168.1.104   1193    65.54.95.64     80      1       HEAD    download.windowsupdate.com      /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916        -       Windows-Update

The accompanying tool bro-cut allows you to reduce the output to the fields you need, e.g.:

bro-cut id.orig_h id.resp_h method host uri < http.log | head

Some example output:

192.168.1.104   65.54.95.64     HEAD    download.windowsupdate.com      /v9/windowsupdate/redir/muv4wuredir.cab?0911180916192.168.1.104   65.55.184.16    HEAD    www.update.microsoft.com        /v9/windowsupdate/selfupdate/wuident.cab?0911180916
192.168.1.104   65.54.95.64     HEAD    download.windowsupdate.com      /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916192.168.1.104   65.54.95.64     GET     download.windowsupdate.com      /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916
192.168.1.104   65.54.95.64     HEAD    download.windowsupdate.com      /v9/windowsupdate/redir/muv4wuredir.cab?0911180916192.168.1.104   65.54.95.64     HEAD    download.windowsupdate.com      /v9/windowsupdate/redir/muv4wuredir.cab?0911180916
192.168.1.102   212.227.97.133  POST    212.227.97.133  /rpc.html?e=bl
192.168.1.102   87.106.1.47     POST    87.106.1.47     /rpc.html?e=bl
192.168.1.102   87.106.1.89     POST    87.106.1.89     /rpc.html?e=bl
192.168.1.102   87.106.12.47    POST    87.106.12.47    /rpc.html?e=bl