When a application like SIP has a message that spans multiple TCP segments, if I filter on the application using the wireshark GUI, then export displayed packets as a new file, it successfully saves all the TCP segments that form each SIP request/response. However, if I do the same thing via tshark, it does NOT save all the segments, and I'm left in incomplete data. Example: tshark -r big_trace.pcap -R 'sip.Call-ID == whatever' -w filtered.pcap If big_trace.pcap contains large SIP requests/responses that span multiple TCP segments, the new file, filtered.pcap, will not contain all those segments, leaving me with incomplete data. Sometimes I end up with very large captures that my customers provide and they're too large to work with in the GUI, so I want to filter out what I need with the CLI tool and then look at the resulting data in the GUI. |
Apparently bug 8223 already covers this. There's a patch to fix it, but waiting on a decision of how to invoke this new behavior from tshark's command options. Thanks. I did find the bug report and saw your comments there as well. I will wait patiently for an enhancement.
(02 Mar '13, 12:17)
gsgleason
|
I believe Wireshark didn't export the other TCP segments either, until just last year when enhancement 3315 was implemented. But that only added support for Wireshark doing it, not tshark. I suggest you submit a new enhancement request for this for tshark. I would have expected it to work by passing the
(01 Mar '13, 07:18)
cmaynard ♦♦
It definitely will also require a second pass, maybe even a third. But right now the code that does the dependency settings/checking for previous frames only exists in Wireshark.
(01 Mar '13, 13:01)
Hadriel
|
O.K. then you need to first get the TCP stream and then, in a second step, you can write all frames of that stream to a file.
Then take all the stream numbers of that output and run tshark
Regards Kurt, In this case, however, the TCP stream contains many different SIP calls. The application has one socket up for all traffic.
(28 Feb '13, 10:14)
gsgleason
in that case, how did you filter the data in wireshark?
(28 Feb '13, 10:18)
Kurt Knochner ♦
|
I have also noticed this. I was under the impression that the tshark CLI filters are equivalent to the wireshark displays filters. I am using version 1.8.5.