"Life is all about sharing. If we are good at something, pass it on." - Mary Berry

How to show all HTTP2 headers using tshark?

2020-05-05

After sniffing with tcpdump, how can I show all HTTP2 header using tshark?

First, find the frame number based on method:

1$ tshark -r grpc.pcapng -Y 'http2.headers.path contains "getBook"'
2214 923.033174    127.0.0.1 → 127.0.0.1    HTTP2 150 HEADERS[1]: POST /book.BookInfo/getBook

and then show the packet details:

 1tshark -r grpc.pcapng -Y "frame.number == 214" -V
 2
 3HyperText Transfer Protocol 2
 4    Stream: HEADERS, Stream ID: 1, Length 85, POST /book.BookInfo/getBook
 5        Length: 85
 6        Type: HEADERS (1)
 7        Flags: 0x04
 8            .... ...0 = End Stream: False
 9            .... .1.. = End Headers: True
10            .... 0... = Padded: False
11            ..0. .... = Priority: False
12            00.0 ..0. = Unused: 0x00
13        0... .... .... .... .... .... .... .... = Reserved: 0x0
14        .000 0000 0000 0000 0000 0000 0000 0001 = Stream Identifier: 1
15        [Pad Length: 0]
16        Header Block Fragment: 8386459162339faaf74e7eb92a94ec4c54dd39faff418b08…
17        [Header Length: 216]
18        [Header Count: 8]
19        Header: :method: POST
20            Name Length: 7
21            Name: :method
22            Value Length: 4
23            Value: POST
24            :method: POST
25            [Unescaped: POST]
26            Representation: Indexed Header Field
27            Index: 3
28        Header: :scheme: http
29            Name Length: 7
30            Name: :scheme
31            Value Length: 4
32            Value: http
33            :scheme: http
34            [Unescaped: http]
35            Representation: Indexed Header Field
36            Index: 6
37        Header: :path: /book.BookInfo/getBook
38            Name Length: 5
39            Name: :path
40            Value Length: 22
41            Value: /book.BookInfo/getBook
42            :path: /book.BookInfo/getBook
43            [Unescaped: /book.BookInfo/getBook]
44            Representation: Literal Header Field with Incremental Indexing - Indexed Name
45            Index: 5
46        Header: :authority: 127.0.0.1:50051
47            Name Length: 10
48            Name: :authority
49            Value Length: 15
50            Value: 127.0.0.1:50051
51            :authority: 127.0.0.1:50051
52            [Unescaped: 127.0.0.1:50051]
53            Representation: Literal Header Field with Incremental Indexing - Indexed Name
54            Index: 1
55        Header: content-type: application/grpc
56            Name Length: 12
57            Name: content-type
58            Value Length: 16
59            Value: application/grpc
60            content-type: application/grpc
61            [Unescaped: application/grpc]
62            Representation: Literal Header Field with Incremental Indexing - Indexed Name
63            Index: 31
64        Header: user-agent: grpc-go/1.24.0
65            Name Length: 10
66            Name: user-agent
67            Value Length: 14
68            Value: grpc-go/1.24.0
69            user-agent: grpc-go/1.24.0
70            [Unescaped: grpc-go/1.24.0]
71            Representation: Literal Header Field with Incremental Indexing - Indexed Name
72            Index: 58
73        Header: te: trailers
74            Name Length: 2
75            Name: te
76            Value Length: 8
77            Value: trailers
78            [Unescaped: trailers]
79            Representation: Literal Header Field with Incremental Indexing - New Name
80        Header: grpc-client: evans
81            Name Length: 11
82            Name: grpc-client
83            Value Length: 5
84            Value: evans
85            [Unescaped: evans]
86            Representation: Literal Header Field with Incremental Indexing - New Name

Read More...