Official Documentation
tshark
Bits
Dumping form data in HTTP requests packet
tshark -r meerkat.pcap -Y "http.request.uri == \"/bonita/loginservice\"" -e urlencoded-form.key -e urlencoded-form.value -Tfields
username,password,_l install,install,en
username,password,_l Clerc.Killich@forela.co.uk,vYdwoVhGIwJ,en
username,password,_l install,install,en
username,password,_l Lauren.Pirozzi@forela.co.uk,wsp0Uy,en
username,password,_l install,install,en
username,password,_l Merna.Rammell@forela.co.uk,u7pWoF36fn,en
...
Currently, there's no way to convert HTTP POST form data into a csv without manual processing.
All values are getting treated as a single string instead of being mapped to their key.
Multiple output formats can be used but I found the json and ek and to be the most interesting.
JSON format output
The output format can be manipulated easily using jq
be can be really tedious when dealing with HTTP POST data.
tshark -T json -e urlencoded-form.key -e urlencoded-form.value | jq '{"username": .[]._source.layers."urlencoded-form.value"[0], "password": .[]._source.layers."urlencoded-form.value"[1]}'
Command output
...
{
"username": "Gianina.Tampling@forela.co.uk",
"password": "TQSNp6XrK"
}
{
"username": "Gianina.Tampling@forela.co.uk",
"password": "install"
}
...
EK format output
WIP