I'm trying to use tshark to record each request sent to a WebService called myservice.
When I use below command, I can see in output file every request sent on port 8280 (Tomcat) :
tshark -n -i eth1 port 8280 -w output.pcap
Considering I have a lot of WebServices in that Tomcat instance, I would like to filter by service name, something like that :
tshark -n -i eth1 port 8280 -w output.pcap -R 'http.request.uri contains "myservice"'
According to man, it looks like I should rather use -f (capture filter) than -R (display filter) since you can't use -R with -w :
tshark: Read filters aren't supported when capturing and saving the captured packets.
I took a look at documentation about capture filters but I can't see a way to do that. I also tried with tcpdump without success.
You can use ngrep for this
sudo ngrep -O output.pcap -i -d eth0 'myservice'
Although you might get some false positive depending on whether or not 'myservice' is found on an irrelevant packet that was not intended for your application. To avoid this, you might want to apply a bpf filter to grep only traffic that was directed to your service/app
sudo ngrep -O output.pcap -i -d eth0 'myservice' 'tcp dst port 8280'