I'm trying to read https requests from an application and while I can somewhat make sense of the data using wireshark, I cannot make tshark output the data as I want it. One of the problems I've noticed is that the content-type from the server is incorrect, so it parses the body as data-text-lines despite it being binary data.
What I've tried so far is:
sudo tshark -r /tmp/file.pcap -o tls.keylog_file:$SSLKEYLOGFILE -Y "tls and ip.src == xx.xx.xxx.xxx or ip.dst == xx.xx.xxx.xxx" -T json -2
I can't seem to make it output the http response as raw decrypted data. It only seems to include the "data-text-lines" but even that contains "[Truncated]" fields so I don't think it's very useful
In wireshark, when I use the "tls" filter, and go to a request, clicking the "Decrypted TLS" tab contains the data I need
