Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] tshark http -e options

From: Chris Datfung <chris.datfung@xxxxxxxxx>
Date: Tue, 21 May 2013 23:39:02 +0300
Hi,

I want to use tshark to capture http requests and responses. I have having difficulty getting POST bodies and the HTML response body to appear. I'm using the following command:

tshark -R "http.response or http.request" -T fields -E separator="|" -e frame.time_epoch -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.request.version -e http.request.method -e http.request -e http.host -e http.request.uri -e http.user_agent -e http.response.code -e http.content_type -e http.content_length -e http.location -e http.referer -e http.response.body

Is there a URL that shows all possible -e flags? Can someone suggest how I can print a pipe deliminated output of the entire http request and response pair?

Thanks,
Chris