I am trying to collect HTTP requests and responses from a remote host using Wireshark using SSH tunnel. So I have Windows host with Wireshark on it, and Linux host with tcpdump on it and a web server listening on port 5000.

I execute tcpdump on the linux host and try to get the output on the windows host. I can see the flow of the packets pretty well, but I see NO HTTP!

When I try to send any request to the web host I see some tcp packets flowing in and out, but no HTTP. It must be mentioned the I see the HTTP requests and responses when I execute the same tcpdump command on Linunx host.

C:\Users\mne\Desktop\plink.exe -ssh -pw XZY root@somehost.com "tcpdump -i any 'port 5000'" -w - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

This is how the output looks like:

Could any one help me to get the HTTP data in Wireshark to be able to analyze them?

UPDATE

I export the output of dumptcp to a file (where I can clearly see HTTP requests body and header). I tried to open that file in Wireshark, but Wireshark was UNABLE to display the HTTP.

Best Answer

Wireshark doesn't automatically treat this connection as HTTP because it was on TCP port 5000, which isn't a commonly used port for HTTP traffic.

To have Wireshark interpret it as HTTP traffic anyway, right click on one of the response packets, choose Decode as... and then select HTTP from the list.

Linux – How to collect HTTP data in Wireshark from a remote Linux host

UPDATE

Best Answer

Related Topic

UPDATE

Best Answer

Related Solutions

Monitoring HTTP traffic using tcpdump

How to filter for HTTP 500 responses and their requests in Wireshark

Related Topic