Wireshark - Finding HTTP and application layer payload from a given pcap file

Question

I am trying to trying to get the packets which contain application layer payloads like HTTP from a given pcap file.

I have tried using http in the Wireshark display filter. My doubt is that, is it the right way to get the http payload from the pcap file. Please help me on this.

Answer 1

Saving HTTP packets

To filter for http traffic in tshark, you would use a display filter (-Y). This is sample output showing what that would look like:

$ tshark -r input.pcap -Y http
   25   1.051399 10.8.143.109 → server-13-35-127-122.sfo5.r.cloudfront.net HTTP
630 GET /online HTTP/1.1  0c:8d:db:90:cf:38 ← 6c:96:cf:d8:7f:e7
   34   1.078368 server-13-35-127-122.sfo5.r.cloudfront.net → 10.8.143.109 HTTP
404 HTTP/1.1 304 Not Modified  6c:96:cf:d8:7f:e7 ← 0c:8d:db:90:cf:38

This shows them output as text (the default). To output them to a new file, use the -w flag:

$ tshark -r input.pcap -Y http -w modified.pcap

Export files

You can also export certain types of plaintext objects from tshark

$ output_folder="files"
$ tshark -r input.pcap --export-object http,$output_folder
$ ls $output_folder
example.png example.html ...

This article will walk you through generating a packet capture from which you can then export HTTP files.