I want to be able to filter for ONLY initial GET request using tshark or tcpdump. This has to work for both HTTP and HTTPS traffic. This is what I currently have...
tshark -R '(http.request.method == "GET") && (http.request.uri =="/")'
This returns GET request for all HTTP traffic but does nothing when I go to HTTPS sites. Any ideas would be great! thanks
"https" is HTTP-over-SSL/TLS-over-TCP. The "SSL/TLS" part means that the raw TCP segments contain encrypted data, so they don't, for example, contain the string "GET" (unless, by pure accident, something happens to encrypt to a sequence of bytes that includes 0x47 0x45 0x54).
This means that any program doing filtering will have to decrypt the data in the stream. tcpdump doesn't support decrypting SSL/TLS; Wireshark/TShark can, in some cases, be configured to decrypt SSL/TLS traffic, if you can supply it with the information required to do so.