tshark - filtering by webservice's name

1
votes

I'm trying to use tshark to record each request sent to a WebService called myservice.

When I use below command, I can see in output file every request sent on port 8280 (Tomcat) :

tshark -n -i eth1 port 8280 -w output.pcap

Considering I have a lot of WebServices in that Tomcat instance, I would like to filter by service name, something like that :

tshark -n -i eth1 port 8280 -w output.pcap -R 'http.request.uri contains "myservice"'

According to man, it looks like I should rather use -f (capture filter) than -R (display filter) since you can't use -R with -w :

tshark: Read filters aren't supported when capturing and saving the captured packets.

I took a look at documentation about capture filters but I can't see a way to do that. I also tried with tcpdump without success.

1
web-serviceswiresharktcpdumptshark
Apparently you cannot use a capture filter. See Wireshark Tools; String-Matching Capture Filter Generatoruser684451
You're right. I used ngrep as suggested by @Moshohayeb.Mathieu B

1 Answers

1
votes

You can use ngrep for this

sudo ngrep -O output.pcap -i -d eth0 'myservice'

Although you might get some false positive depending on whether or not 'myservice' is found on an irrelevant packet that was not intended for your application. To avoid this, you might want to apply a bpf filter to grep only traffic that was directed to your service/app

sudo ngrep -O output.pcap -i -d eth0 'myservice' 'tcp dst port 8280'