Is there any way to parse HTTP request data in wireshark? For example, can I expose the request parameters upon an HTTP GET request (being sent by my machine), so that I don't need to read the (sometimes) truncated URL and find them by myself?
I was using Tamper Data and Firebug, on my Firefox, to analyse these requests, but they're not as reliable as a stand-alone tool for monitoring my network interface, but wireshark keeps data too raw concerning HTTP flow.
If you guys know any other stand-alone tool that does this (must be Linux-compatible), please tell me.
Thanks!
sure, you can do it with tshark:
If you're running http on a non-standard port, say 8000 for a proxy, make sure to add `-d tcp.port==8000,http' so it will know to decode port 8000 as http traffic.
Have you tried http://www.pcapr.net/xtractr ? It uses tshark to index very large pcaps and has HTTP content extraction
It's not clear what you're ultimately trying to achieve (i.e., what analysis are you trying to do or is this generic troubleshooting, etc).
If you're looking for a realtime HTTP monitor (as you're mooting against pcapr answer), then would just redirecting requests through a proxy do the job (e.g., with Apache or Squid)? Okay, it's not a passive monitor in this instance (unlike wireshark [et al]), but would get you the URLs. Then you should be able to extract the query string from access logs.
Is it possible that Wireshark can't see things that Tamper Data can? I'm experimenting with it and it appears that Wireshark doesn't see GET requests that Tamper Data see and I'm really interested in knowing why.
Normally I would suggest using Fiddler2 for debugging HTTP but it is Windows only, so a good fallback is Charles Proxy http://www.charlesproxy.com/download/
You may get better answers to this kind of question on webmasters.stackexchange.com and/or stackoverflow.com as tools such as this are normally only used for web development, whereas WireShark is designed for network engineers.