This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When a application like SIP has a message that spans multiple TCP segments, if I filter on the application using the wireshark GUI, then export displayed packets as a new file, it successfully saves all the TCP segments that form each SIP request/response.

However, if I do the same thing via tshark, it does NOT save all the segments, and I'm left in incomplete data.

Example: tshark -r big_trace.pcap -R 'sip.Call-ID == whatever' -w filtered.pcap

If big_trace.pcap contains large SIP requests/responses that span multiple TCP segments, the new file, filtered.pcap, will not contain all those segments, leaving me with incomplete data.

Sometimes I end up with very large captures that my customers provide and they're too large to work with in the GUI, so I want to filter out what I need with the CLI tool and then look at the resulting data in the GUI.

asked 28 Feb '13, 07:05

gsgleason's gravatar image

gsgleason
6114
accept rate: 0%

edited 28 Feb '13, 07:07

I have also noticed this. I was under the impression that the tshark CLI filters are equivalent to the wireshark displays filters. I am using version 1.8.5.

(28 Feb '13, 07:17) jclogan

Apparently bug 8223 already covers this. There's a patch to fix it, but waiting on a decision of how to invoke this new behavior from tshark's command options.

permanent link

answered 02 Mar '13, 08:57

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Thanks. I did find the bug report and saw your comments there as well. I will wait patiently for an enhancement.

(02 Mar '13, 12:17) gsgleason

I believe Wireshark didn't export the other TCP segments either, until just last year when enhancement 3315 was implemented. But that only added support for Wireshark doing it, not tshark. I suggest you submit a new enhancement request for this for tshark.

permanent link

answered 28 Feb '13, 21:08

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

I would have expected it to work by passing the -2 option to tshark, but unfortunately that wasn't the case in my testing. So yeah, it looks like a new bug request is in order.

(01 Mar '13, 07:18) cmaynard ♦♦

It definitely will also require a second pass, maybe even a third. But right now the code that does the dependency settings/checking for previous frames only exists in Wireshark.

(01 Mar '13, 13:01) Hadriel

Sometimes I end up with very large captures that my customers provide and they're too large to work with in the GUI, so I want to filter out what I need with the CLI tool and then look at the resulting data in the GUI.

O.K. then you need to first get the TCP stream and then, in a second step, you can write all frames of that stream to a file.

`tshark -r big_trace.pcap -R 'sip.Call-ID == whatever' -T fields -e tcp.stream

Then take all the stream numbers of that output and run tshark

tshark -r big_trace.pcap -R 'tcp.stream == xxx or tcp.stream == yy' -w filtered.pcap

Regards
Kurt

permanent link

answered 28 Feb '13, 09:58

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Kurt, In this case, however, the TCP stream contains many different SIP calls. The application has one socket up for all traffic.

(28 Feb '13, 10:14) gsgleason

however, the TCP stream contains many different SIP calls.

in that case, how did you filter the data in wireshark?

(28 Feb '13, 10:18) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×165
×76

question asked: 28 Feb '13, 07:05

question was seen: 4,730 times

last updated: 02 Mar '13, 12:17

p​o​w​e​r​e​d by O​S​Q​A