Search code examples
httpbrowserwiresharktsharksniffing

TShark doesn't capture HTTP requests from any browser


I see Wireshark can capture all HTTP requests from anywhere, including a browser, especially POST requests I initiate inside. But when I use TShark

tshark -F pcapng -w out.pcapng

and try to read results like this

tshark -T json -r out.pcapng

those requests are not listed.

I'm aware of this...

Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on the standard output for each received packet.

but I don't know which correct options to set, so I can add those requests to be detected. Also, if this is not supposed to work exactly like Wireshare, alternatives are welcome.


Solution

  • You didn't specify the interface on which to capture. From the tshark man page:

    If no interface is specified, TShark searches the list of interfaces, choosing the first non-loopback interface if there are any non-loopback interfaces, and choosing the first loopback interface if there are no non-loopback interfaces.

    You should specify the interface to capture from to ensure you're capturing on the correct interface. You can run tshark -D to list all interfaces and then choose the appropriate one for use in the -i option, e.g.

    tshark -i <N> -F pcapng -w out.pcapng
    

    ... where <N> is the number of the appropriate interface found by running tshark -D.

    And if you're only interested in HTTP traffic, then you may want to limit the packets that you capture to avoid capturing irrelevant traffic. Typically, HTTP traffic is seen on TCP port 80, so:

    tshark -i <N> -F pcapng -w out.pcapng -f "tcp port 80"
    

    If you're still not seeing any HTTP traffic, then it may be because either there is no HTTP traffic available at the time the capture was made or the traffic wasn't actually HTTP, but rather HTTPS.