This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Prevent tshark from parsing http response data

0

I'm running tshark on a web-surfing capture and noticed than it parses the http response's data (when I choose PDML as the output format). This is somewhat annoying when the response consists of an image. I would rather get a blob of data which I can view later as an image, than the PNG's headers and their values. Here's an example:

<proto name="png" showname="Portable Network Graphics" size="3933" pos="631">
<field name="png.signature" showname="PNG Signature: 89504E470D0A1A0A" size="8" pos="631" show="89:50:4e:47:0d:0a:1a:0a" value="89504e470d0a1a0a"/>
<field name="" show="IHDR Image Header" size="33" pos="639" value="0000000d49484452000000300000003008060000005702f9870000000467414d41">
  <field name="png.chunk.len" showname="Len: 13" size="4" pos="639" show="13" value="0000000d"/>
  <field name="png.chunk.type" showname="Chunk: IHDR" size="4" pos="643" show="IHDR" value="49484452">
    <field name="png.ihdr.width" showname="Width: 48" size="4" pos="647" show="48" value="00000030"/>
    <field name="png.ihdr.height" showname="Height: 48" size="4" pos="651" show="48" value="00000030"/>

(and it goes on and on)

Is there a way to get tshark to "dechunk" and decompress the response's data, without it going further and parse the data itself? I Couldn't find this option in Wireshark's config file, but maybe I've missed it.

Thanks (and a happy new year!)

asked 03 Jan '11, 07:08

r0u1i's gravatar image

r0u1i
617712
accept rate: 0%


One Answer:

2

Try disabling the PNG protocol (under Analyze ! Enabled Protocols ...)

The above is for Wireshark.

If you do the above and then run tshark, the protocol will also be disabled in tshark since tshark reads the "disabled_protos" configuration file created when the protocol is disabled in Wireshark.

answered 03 Jan '11, 07:33

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 03 Jan '11, 07:50

Thanks, should have thought about it on my own!

(03 Jan '11, 07:55) r0u1i