Tshark - PSJoshi/Notes GitHub Wiki

Capture TCP stream

  • Step1 (capture network trafic): tshark -i eth0 -f "port 9088" -w capture.pcap
  • Step2 (list captured tcp streams): tshark -r capture.pcap -T fields -e tcp.stream | sort -u
  • Step3 (dump the content of one particular tcp stream): tshark -nr capture.pcap -q -d tcp.port==9088,http -z follow,http,ascii,_your_stream_number

Noice the "-d tcp.port==9088,http" option to force http decoding on this port as in this case it is a socks5 proxy running on that port.

Most importantly "-z follow,http,ascii,_your_stream_number" where the "follow,http" feature decodes gziped http body content and is only available from version 2.2.0 of wireshark/tshark.