Tshark + http.cap + alternate port number?


#1

Newbie question …

I’m trying to use tshark to analyze traffic to port 8090 on another machine. The traffic is all HTTP PUTs and reponses. I’m able to specify the port number for capture (“tcp port 8090”), and the http filter works when if I use port 80 instead, but I can’t get them to work in conjunction. Is there a way to make this work?

If not, could someone point me to the source and toolset that were used to produce http.cap? Maybe I can tweak it for port 8090?


#2

I found a workable solution, but not for tshark …

In a bash shell …

sudo tcpdump -i eth0 -w my_file.cap “tcp port 8090”

In wireshark

  • Select File/Open, then “my_file.cap”
  • Right-click on one of the entries
  • Select “Decode As …”
  • Select the Transport tab.
  • Select TCP “source (8090)”
  • Select “HTTP” from the transport protocol list
  • Clip “Apply”