tshark 2.2.2 command line parameters to dump full http+json requests and responses

Question

After googling for hours and trying not to get lost in the different tshark versions I still can't figure out what command line options to tshark I should use to get the full (reassembled) JSON requests and responses (the JSON data structrues).

tshark 2.2.2 used on a live eth0 interface, not to parse pcap.files. The requests and responses are gziped and need to be decoded.

All the related wireshark issues that seemed related are marked as "fixed" so I think in the 2.2.2 it should be possible.

Answer 1

I found a working solution. It doesn't work on a live interface and requires to first save a pcap file but it is the best I managed to do with tshark.

Step1 (capture network trafic): tshark -i eth0 -f "port 9088" -w capture.pcap Step2 (list captured tcp streams): tshark -r capture.pcap -T fields -e tcp.stream | sort -u

Step3 (dump the content of one particular tcp stream): tshark -nr capture.pcap -q -d tcp.port==9088,http -z follow,http,ascii,_your_stream_number

Noice the "-d tcp.port==9088,http" option to force http decoding on this port as in my case it is a socks5 proxy running on that port.

Most importantly "-z follow,http,ascii,_your_stream_number" where the "follow,http" feature decodes gziped http body content and is undocumented and only available from version 2.2.0 of wireshark/tshark.