I understand how to see the full non-truncated record (in my case it's the actual HTML page that I'm trying to read, and it contains long lines) in Wireshark - it's a clicking operation to copy into the buffer. But I want to do the same in tshark, so as to automate it. So far from Google I've found at least one person asking this, and the response was that the 240 char limit is hardcoded and would not be feasible to make dynamic, therefore you would have to make your own build of Wireshark. On the other hand, it's clear that the pcap files are storing the full records, and indeed just getting tshark to mindlessly read from one pcap file and output to another one and then putting that into wireshark confirms that all the data is still there. I just can't understand why this is not a huge problem for people - surely if you want to analyze traffic you sometimes (often) have to see the actual data being sent, and often it's in lines/records that are longer than 240 bytes. Can this not be fixed, or is there some workaround aside from the enormous task of rebuilding Wireshark itself? asked 02 Jun '13, 00:46 AdamZSI |
2 Answers:
I just took a quick peek at the code and indeed it is not easy to change the truncation of displayed fields. If you want to reconstruct data sent over TCP sessions (and http in particular in your case) you can better use the follow stream options of tshark. From the manpage:
Which will result in:
Which can be parsed by a script quite easily. Or use ascii, but then you end up with a lot of dots for the non-ascii-characters:
All-in-all, if reconstructing html-pages is what you’re after, I think there will be better tools available when you google for it. answered 02 Jun ‘13, 04:08 SYN-bit ♦♦ To SYN-bit, I really appreciate the in depth answer and suggestions, it will almost certainly be helpful in some cases, but as it happens (and I should have mentioned this), this is data passing over SSL. The decryption is working well with the SSLKEYLOGFILE set in the env, but I don’t know if that will be a problem if I try to isolate streams and dump them out raw like this? You say it will be easy to convert the hex with a script, but could you give me some pointers as to what kind of script that would be? By the way the -x flag does really seem to give me what I want, with the tiny detail that the output format is 2 column hex/ascii. Looking for a tool now to just extract the ascii out of that directly. (02 Jun ‘13, 23:09) AdamZSI |
I ran into this problem and I had trouble understanding the method used to access the un-truncated data in Wireshark (not tshark, I don't use that). Here is what I discovered. If you double-click a packet to open a detail view, and highlight the truncated field, then right-click, you don't get a context menu. I found it was necessary to highlight the truncated field in the 3-pane view, and then right-click, and select Copy > Value (or use the shortcut <ctr> <shift> V) which copies the entire un-truncated field onto clipboard. answered 06 Jun '17, 21:32 gaborkiss edited 06 Jun '17, 21:33 |
In partial answer of my own question, the flag -x seems to dump the packet in hex/ascii. It's not a pretty solution, though, because what I am ultimately aiming to do is to recreate the html pages served. So if that's the only way to do it it's going to get a bit hack-y. Any other ideas offered appreciated; I'm still confused why this wouldn't be enabled in tshark if it is in wireshark. Thanks.