inspecting full (reassembled) http post content

[Tomasz Marciniak <tomasz.marciniak () eo pl>]

Hello list,

I can't find the solution for following problem: I have a tcpdump
capture file from which I'd like to extract all HTTP POST requests (with
their payload).

When I do something like this:

tshark -V -T text -R 'http.request and http.request.method == "POST"'
-r /tmp/tpdump.out

the POST content is truncated, e.g. for example captured PNG upload
shows only information about encapsulated chunks of data, not the data
itself.

However when I add the "-x" option to tshark, I can see this data
reassembled (but also in hex dump which I don't need).

Is there a way to extract this data? What I need is a tshark equivalent
to "export selected bytes as..." option found in wireshark.

-- 
Tomasz Marciniak


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe