Written by Martin
on July 15, 2020

Capture http requests using tshark

While playing attack/defense CTFs I often want to see what kind of requests other teams are sending to our services. tshark, the cli version of wireshark, can be used the achieve this. This command prints the URL, parameters and body of incoming http requests on port 4000:

tshark -i eth0 -Y 'http.request and tcp.dstport == 4000 and http.request.full_uri' -T fields -e http.request.full_uri -e http.file_data

The output looks like this:

http://localhost:4000/styles.css
http://localhost:4000/assets/fonts/fonts.css
http://localhost:4000/
http://localhost:4000/	some=data

The filters and field names are the ones used by wireshark and are documented here.

← → If this helped you feel free to follow me on Twitter or Github