|
| 1 | +--- |
| 2 | +title: Baby TShark |
| 3 | +date: 2020-02-15 10:00:00 +0100 |
| 4 | +categories: debugging |
| 5 | +--- |
| 6 | + |
| 7 | +I was made aware of Wireshark when I wanted to investigate certain HTTP requests to Elasticsearch. Wireshark is a network protocol analyzer with a GUI, while TShark is the equivalent CLI tool. |
| 8 | + |
| 9 | +TShark has a lot of options and capabilities to get low-level network insights but what I wanted to do was pretty specific and simple: I wanted to intercept and monitor HTTP requests to a certain port on localhost. |
| 10 | + |
| 11 | +`tshark` lets you do that, without the need to set up a proxy, which would be how I normally do this sort of thing. |
| 12 | + |
| 13 | +As an example let's start a server locally: |
| 14 | + |
| 15 | + python -m SimpleHTTPServer 8000 |
| 16 | + |
| 17 | +Let's send a request: |
| 18 | + |
| 19 | + $ curl localhost:8000/hey |
| 20 | + <head> |
| 21 | + <title>Error response</title> |
| 22 | + </head> |
| 23 | + <body> |
| 24 | + <h1>Error response</h1> |
| 25 | + <p>Error code 404. |
| 26 | + <p>Message: File not found. |
| 27 | + <p>Error code explanation: 404 = Nothing matches the given URI. |
| 28 | + </body> |
| 29 | + |
| 30 | +It fails, as expected. With `tshark` you can monitor HTTP requests to port 8000 like this: |
| 31 | + |
| 32 | + $ tshark -i lo0 -Y http.request 'tcp port 8000' |
| 33 | + Capturing on 'Loopback: lo0' |
| 34 | + 5 0.000132 127.0.0.1 → 127.0.0.1 HTTP 137 GET /hey HTTP/1.1 |
| 35 | + |
| 36 | +Here's how you can customize which HTTP data you see: |
| 37 | + |
| 38 | + $ # Going to run curl -X POST localhost:8000/hey -d '{ "yo": true }' -H 'Content-Type: application/json' from another terminal |
| 39 | + $ tshark -i lo0 -Y http.request -T fields -e http.request.method -e http.request.uri -e http.file_data 'tcp port 8000' |
| 40 | + Capturing on 'Loopback: lo0' |
| 41 | + POST /hey { "yo": true } |
| 42 | + |
| 43 | +If you want to see the request headers and body, you can get most of that data with the `-O http,json` option: |
| 44 | + |
| 45 | + $ # Going to run curl -X POST localhost:8000/hey -d '{ "yo": true }' -H 'Content-Type: application/json' from another terminal |
| 46 | + $ tshark -i lo0 -Y http.request -O http,json 'tcp port 8000' |
| 47 | + Capturing on 'Loopback: lo0' |
| 48 | + Frame 5: 204 bytes on wire (1632 bits), 204 bytes captured (1632 bits) on interface 0 |
| 49 | + Null/Loopback |
| 50 | + Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1 |
| 51 | + Transmission Control Protocol, Src Port: 54939, Dst Port: 8000, Seq: 1, Ack: 1, Len: 148 |
| 52 | + Hypertext Transfer Protocol |
| 53 | + POST /hey HTTP/1.1\r\n |
| 54 | + [Expert Info (Chat/Sequence): POST /hey HTTP/1.1\r\n] |
| 55 | + [POST /hey HTTP/1.1\r\n] |
| 56 | + [Severity level: Chat] |
| 57 | + [Group: Sequence] |
| 58 | + Request Method: POST |
| 59 | + Request URI: /hey |
| 60 | + Request Version: HTTP/1.1 |
| 61 | + Host: localhost:8000\r\n |
| 62 | + User-Agent: curl/7.54.0\r\n |
| 63 | + Accept: */*\r\n |
| 64 | + Content-Type: application/json\r\n |
| 65 | + Content-Length: 14\r\n |
| 66 | + [Content length: 14] |
| 67 | + \r\n |
| 68 | + [Full request URI: http://localhost:8000/hey] |
| 69 | + [HTTP request 1/1] |
| 70 | + File Data: 14 bytes |
| 71 | + JavaScript Object Notation: application/json |
| 72 | + Object |
| 73 | + Member Key: yo |
| 74 | + True value |
| 75 | + Key: yo |
| 76 | + |
| 77 | +Read more about TShark in the [docs](https://www.wireshark.org/docs/man-pages/tshark.html) or just run `tshark --help`. |
0 commit comments