Understanding tshark output

Question

I am trying to understand the output of network data captured by tshark using the following command

sudo tshark -i any ‘tcp port 80’ -V -c 800  -R ‘http contains <filter__rgument>' > <desired_file_location>

Accordingly, I get some packets in output each starting with a line something like this:

Frame 5: 1843 bytes on wire (14744 bits), 1843 bytes captured (14744 bits) on interface 0

I have some basic questions regarding a packet:

1. Is a frame and a packet the same thing (used interchangeably)?
2. Does a packet logically represent 1 request (in my case HTTP request)? If not, can a request span across multiple packets, or can a packet contain multiple requests? A more basic question will be what does a packet represent?
3. I see a lot of information being captured in the request. Is there a way using tshark to just capture the http headers and http reqeust body? Basically, my motive of this whole exercise is to capture all these requests to replay them later.

Any pointers in order to answer these doubts will be really helpful.

Answer 1

You've asked several questions. Here are some answers.

Are frames and packets the same things?

No. Technically, when you are looking at network data and that data includes the Layer 2 frame header, you are looking at a frame. The IP packet inside of that frame is just data from Layer 2's point of view. When you look at the IP datagram (or strip off the frame header), you are now looking at a packet.

Ultimately, I tell people that you should know the difference and try to use the terms properly, but in practice it's not an extremely important distinction.

Does a packet represent a single request?

This really depends. With HTTP 1.0 and 1.1, you could look at it this way, though there's no reason that, if the client has a significant amount of POST data to send, the request can't span multiple packets. It is better to think of a single "connection" or "session" as a single request/response. (This is not necessarily strictly true with HTTP 1.1, but it is generally true)

With HTTP 2.0, this is by design not true. A single connection or session is used to handle multiple data streams (requests/responses).

How can I get at the request headers?

This is far too lengthy for me to answer here. The simplest thing to do, most likely, is to simply fire up WireShark, go into the filter bar and type "http." As soon as you hit the dot, you will see a list of all of the different sub-elements that you can look at. You can use these in tshark using the '-Y' option, and you can additionally specify columns that you would like to display (so you can add and remove columns, effectively).

An alternative way to see this information is to use the filter expression button to bring up the protocols selector. If you scroll down to HTTP, you can select it and then see all of the fields that are available.

When looking through these, realize that some of the fields are in the top-level rather than within request or response. For example, content-length appears as a field under http rather than http.request.content_length. This is because content-length is a field common to all requests and responses.