0

I'm a teacher and I want to simulate with my students a MITM attack. The goal is to show why the https protocol must be always used.

On debian, I installed tshark. All works fine, when I run the hotspot mode and run tshark, I can get HTTP packets and, digging a little, we can see the form datas in plain text :

enter image description here

First, from the browser in the computer 10.42.0.21, when I enter the url of the server (a simple GET request) tshark shows the get request twice. I don't understand why.. is there a way for delete deplicate or find the reason ? (the server log show two GET requests)

secondly, when I send a POST request to the server (via a simple html form). We can see in plain text the datas of the form (it's logic because the server uses the HTTP protocole and not the HTTPS)

The curent output is : Timestamp,POST / HTTP/1.1\r\n,\r\n,Form item : "fname" = "John"

Is it possible with tshark to get a more prettiest output containing only the items (fields) values of the form ? like this : "fname" = "John"

Thanks for any help :)

EDIT : for the duplicate, this is because of a favicon request, the issue is from my python server, not from tshark.

spacecodeur
  • 107
  • 4

1 Answers1

0

Use the grep command to search for lines containing form items, then split out the relevant data you want with the cut command.

In your example something like tshark | grep "Form item" | cut -d":" -f2 would probably do what you want.

Mikael H
  • 5,031
  • 2
  • 9
  • 18
  • thx you for your help and indeed you're right ! a simple pipe/grep can be sufficient... However, when I try it (with your example) I get a number in output, this is strange... screenshot here : https://i.ibb.co/31NQ4tn/IMG-20201231-213311735.jpg – spacecodeur Dec 31 '20 at 20:40