This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When writing to file with tshark using display filter, not all TCP segments are saved.

When a application like SIP has a message that spans multiple TCP segments, if I filter on the application using the wireshark GUI, then export displayed packets as a new file, it successfully saves all the TCP segments that form each SIP request/response.

However, if I do the same thing via tshark, it does NOT save all the segments, and I'm left in incomplete data.

Example: tshark -r big_trace.pcap -R 'sip.Call-ID == whatever' -w filtered.pcap

If big_trace.pcap contains large SIP requests/responses that span multiple TCP segments, the new file, filtered.pcap, will not contain all those segments, leaving me with incomplete data.

Sometimes I end up with very large captures that my customers provide and they're too large to work with in the GUI, so I want to filter out what I need with the CLI tool and then look at the resulting data in the GUI.

export tshark display-filter

asked 28 Feb '13, 07:05

gsgleason
6●1●1●4
accept rate: 0%

edited 28 Feb '13, 07:07

I have also noticed this. I was under the impression that the tshark CLI filters are equivalent to the wireshark displays filters. I am using version 1.8.5.

(28 Feb '13, 07:17) jclogan

3 Answers:

Apparently bug 8223 already covers this. There's a patch to fix it, but waiting on a decision of how to invoke this new behavior from tshark's command options.

answered 02 Mar '13, 08:57

Hadriel
2.7k●2●9●39
accept rate: 18%

Thanks. I did find the bug report and saw your comments there as well. I will wait patiently for an enhancement.

(02 Mar '13, 12:17) gsgleason

I believe Wireshark didn't export the other TCP segments either, until just last year when enhancement 3315 was implemented. But that only added support for Wireshark doing it, not tshark. I suggest you submit a new enhancement request for this for tshark.

answered 28 Feb '13, 21:08

Hadriel
2.7k●2●9●39
accept rate: 18%

I would have expected it to work by passing the -2 option to tshark, but unfortunately that wasn't the case in my testing. So yeah, it looks like a new bug request is in order.

(01 Mar '13, 07:18) cmaynard ♦♦

It definitely will also require a second pass, maybe even a third. But right now the code that does the dependency settings/checking for previous frames only exists in Wireshark.

(01 Mar '13, 13:01) Hadriel

Sometimes I end up with very large captures that my customers provide and they're too large to work with in the GUI, so I want to filter out what I need with the CLI tool and then look at the resulting data in the GUI.

O.K. then you need to first get the TCP stream and then, in a second step, you can write all frames of that stream to a file.

`tshark -r big_trace.pcap -R 'sip.Call-ID == whatever' -T fields -e tcp.stream

Then take all the stream numbers of that output and run tshark

tshark -r big_trace.pcap -R 'tcp.stream == xxx or tcp.stream == yy' -w filtered.pcap

Regards
Kurt

answered 28 Feb '13, 09:58

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

Kurt, In this case, however, the TCP stream contains many different SIP calls. The application has one socket up for all traffic.

(28 Feb '13, 10:14) gsgleason

however, the TCP stream contains many different SIP calls.

in that case, how did you filter the data in wireshark?

(28 Feb '13, 10:18) Kurt Knochner ♦