Skip to content

Instantly share code, notes, and snippets.

@ollybee

ollybee/tshark-http-https.md

Last active March 10, 2023 11:09
Show Gist options
  • Save ollybee/8b345f9381cbe0cc874d463ff6d37781 to your computer and use it in GitHub Desktop.
Save ollybee/8b345f9381cbe0cc874d463ff6d37781 to your computer and use it in GitHub Desktop.
Download ZIP
Log all HTTP + HTTPS request locations
Raw
tshark-http-https.md

One line tshark command to log all outbound HTTP and HTTPS connecitons.

Request type Output
For HTTP traffic the IP and full request is shown 104.131.8.184 http://catfact.ninja/fact
For HTTPS traffic using sni, the IP and domain is shown 104.131.8.184 catfact.ninja
HTTP Request on nonstandard support wit no extra config 35.180.139.74 http://portquiz.net:8080/
If an HTTPS conneciton is made without sni then only the IP is shown 35.180.139.74

All output is also time stamped.
Update the command with the source IP so it can filter only outbound.

Command:

tshark -i eth0 -Tfields -e frame.time -e ip.dst -e ssl.handshake.extensions_server_name -e http.request.full_uri -Y '(ssl.handshake.extension.type == 0) or (http.request.full_uri)'

Newer tshark versions use tls instead of ssl:

tshark -i wlp1s0 -Tfields -e frame.time -e tls.handshake.extensions_server_name -e http.request.full_uri -Y '(tls.handshake.extension.type == 0) or (http.request.full_uri)'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment