Baby TShark

I was made aware of Wireshark when I wanted to investigate certain HTTP requests to Elasticsearch. Wireshark is a network protocol analyzer with a GUI, while TShark is the equivalent CLI tool.

TShark has a lot of options and capabilities to get low-level network insights but what I wanted to do was pretty specific and simple: I wanted to intercept and monitor HTTP requests to a certain port on localhost.

tshark lets you do that, without the need to set up a proxy, which would be how I normally do this sort of thing.

As an example let’s start a server locally:

python -m SimpleHTTPServer 8000

Let’s send a request:

$ curl localhost:8000/hey
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 404.
<p>Message: File not found.
<p>Error code explanation: 404 = Nothing matches the given URI.
</body>

It fails, as expected. With tshark you can monitor HTTP requests to port 8000 like this:

$ tshark -i lo0 -Y http.request 'tcp port 8000'
Capturing on 'Loopback: lo0'
5   0.000132    127.0.0.1 → 127.0.0.1    HTTP 137 GET /hey HTTP/1.1

Here’s how you can customize which HTTP data you see:

$ # Going to run curl -X POST localhost:8000/hey -d '{ "yo": true }' -H 'Content-Type: application/json' from another terminal
$ tshark -i lo0 -Y http.request -T fields -e http.request.method -e http.request.uri -e http.file_data 'tcp port 8000'
Capturing on 'Loopback: lo0'
POST	/hey	{ "yo": true }

If you want to see the request headers and body, you can get most of that data with the -O http,json option:

$ # Going to run curl -X POST localhost:8000/hey -d '{ "yo": true }' -H 'Content-Type: application/json' from another terminal
$ tshark -i lo0 -Y http.request -O http,json 'tcp port 8000'
Capturing on 'Loopback: lo0'
Frame 5: 204 bytes on wire (1632 bits), 204 bytes captured (1632 bits) on interface 0
Null/Loopback
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 54939, Dst Port: 8000, Seq: 1, Ack: 1, Len: 148
Hypertext Transfer Protocol
    POST /hey HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): POST /hey HTTP/1.1\r\n]
            [POST /hey HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: POST
        Request URI: /hey
        Request Version: HTTP/1.1
    Host: localhost:8000\r\n
    User-Agent: curl/7.54.0\r\n
    Accept: */*\r\n
    Content-Type: application/json\r\n
    Content-Length: 14\r\n
        [Content length: 14]
    \r\n
    [Full request URI: http://localhost:8000/hey]
    [HTTP request 1/1]
    File Data: 14 bytes
JavaScript Object Notation: application/json
    Object
        Member Key: yo
            True value
            Key: yo

Read more about TShark in the docs or just run tshark --help.