Capture HTTP GET requests

httpwireshark

In the Wireshark wiki is an example for filtering HTTP GET requests:

Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list.

with this filter:

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

Unfortunately this does not work. How is the correct filter for HTTP GET requests?

Best Answer

It does work, make sure you are surrounding your filter in double quotes so the shell doesn't try and parse the filter arguments.

e.g. a curl of google.com for me:

$ sudo tshark -i eth0 "port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000   10.53.0.66 -> 209.85.143.104 HTTP GET / HTTP/1.1

This is a rather complicated way of doing it though. tshark does allow you the concept of applying read filters. Now these may not be as useful if you've got a large volume of data (filtering happens after capturing) but they're certainly more intuitive and readable.

$ sudo tshark -i eth0 -R 'http.request.method == "GET"' "port 80"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  5.641015   10.53.0.66 -> 209.85.143.104 HTTP GET / HTTP/1.1

Best Answer

Related Solutions

Tool to capture outbound http packets in a linux server

How to filter for HTTP 500 responses and their requests in Wireshark

Related Topic