In order to capture https traffic, some setting up is required in order to allow tshark to decrypt the traffic.
A pre-master secret key will be used in order to do this.
Basically, we need to get the browser to log a SSL key log file. This can be done by following the steps here: https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/.
In summary, the steps are:
export SSLKEYLOGFILE=~/.ssl-key.log
- Open browser from the terminal to the website you want to extract the stream from. (In my tests: works with Firefox but not Chromium)
- See below...
Tshark can operate on capture files and can also capture live.
Operating on capture files is done by
tshark -r <file>
and capturing live is done by
tshark -i <network interface>
In the following code examples, packets will be captured live, using the network interface wlp1s0
for Linux and Wi-Fi
for Windows. The command should be modified as necessary. It can also be modified to work on capture files as shown above.
To capture all m3u8 urls and print them to the console:
tshark -i wlp1s0 -o tls.keylog_file:$SSLKEYLOGFILE -Y 'http2.headers.method == "GET" && http2.headers.path contains "m3u8"' -T fields -e "http2.headers.authority" -e "http2.headers.path"
.\tshark -i "Wi-Fi" -o tls.keylog_file:$env:SSLKEYLOGFILE -Y 'http2.headers.method == "GET" && http2.headers.path contains "m3u8"' -T fields -e "http2.headers.authority" -e "http2.headers.path"
tshark -i wlp1s0 # capture live from network interface 'wlp1s0' (see above)
-o tls.keylog_file:$SSLKEYLOGFILE # use the ssl key log file
-Y 'http2.headers.method == "GET" && http2.headers.path contains "m3u8"' # filter all "GET" http2 requests, with a path header that contains "m3u8"
-T fields -e "http2.headers.authority" -e "http2.headers.path" # print the authority and path to the terminal