This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I'm analyzing a 3-layer protocol (3 layers on top of tcp), and I use the "Follow TCP stream" a lot. This option, however, shows all data in layers above TCP. Is there a way to use "Follow TCP stream" without viewing all layers above TCP? Can I choose which layers appear?

Thanks

Nitay

asked 29 Aug '13, 07:46

nitay's gravatar image

nitay
11224
accept rate: 0%


In my case - I need it for Modbus communication (Modbus commands on top of ModbusTCP comms - shows as different layers in Wireshark)

If you just need the Modbus fields in text form, you could try to use tshark

tshark -nr input.pcap -R "mbtcp" -T fields -E header=y -e frame.number -e ip.src -e ip.dst -e modbus.func_code -e modbus.data

Sample Output:

frame.number    ip.src  ip.dst  modbus.func_code        modbus.data
4       192.168.45.20   192.168.45.205  126     05:03:01:00:00:30
5       192.168.45.205  192.168.45.20   126     07:03:01:00:00:30:08:99
6       192.168.45.20   192.168.45.205  126     05:03:10:00:00:30
7       192.168.45.205  192.168.45.20   126
8       192.168.45.20   192.168.45.205  126     05:03:01:0f:ff:51
9       192.168.45.205  192.168.45.20   126     07:03:01:0f:ff:51:d2:21
10      192.168.45.20   192.168.45.205  126     05:03:08:00:01:51

See the docs for more Modbus fields

http://www.wireshark.org/docs/dfref/m/mbtcp.html

Regards
Kurt

permanent link

answered 31 Aug '13, 15:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 31 Aug '13, 15:29

I'll try that, thanks! I think it could be nice to add a graphic feature that does exactly that though

(02 Sep '13, 02:04) nitay
1

I think it could be nice to add a graphic feature that does exactly that though

That feature is already there. Just add custom columns with the field names modbus.func_code and modbus.data

(02 Sep '13, 04:36) Kurt Knochner ♦

I mean, something that resembles the "Follow TCP Stream" screen

(08 Sep '13, 04:13) nitay

Modbus doesn't have the concept of beginning and ending a session unlike TCP so there is no "stream" to follow.

What is it you actually want to see that "resembles a TCP stream"?

(08 Sep '13, 07:23) grahamb ♦

I mean, something that resembles the "Follow TCP Stream" screen

Can you please add a sample pcap file and some information about the output you want to have?

(09 Sep '13, 01:54) Kurt Knochner ♦

I'm sorry for bringing this up again! It seems that the data for packets larger than ~70 bytes isn't being printed. Any idea why?

(12 Dec '13, 04:31) nitay

can you post a sample capture file somewhere (google drive, dropbox, cloudshark.org or mega.co.nz)?

(12 Dec '13, 04:52) Kurt Knochner ♦
showing 5 of 8 show 3 more comments

Is there a way to use "Follow TCP stream" without viewing all layers above TCP?

No, because "Follow TCP Stream" is intended to show all the bytes of the TCP segments, which means showing all the layers.

If you can more precisely specify what you want to see, a separate feature could perhaps be implemented to provide that.

permanent link

answered 29 Aug '13, 15:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Okay, let's take SMB for example, which lies on NetBIOS session service, which runs on TCP. I'd like a way to follow the SMB data without viewing the NetBIOS "noise"

In my case - I need it for Modbus communication (Modbus commands on top of ModbusTCP comms - shows as different layers in Wireshark)

(31 Aug '13, 13:09) nitay

Okay, let's take SMB for example, which lies on NetBIOS session service, which runs on TCP. I'd like a way to follow the SMB data without viewing the NetBIOS "noise"

In Follow TCP Stream, that's all really noise, with the possible exception of text file blocks being read and written and directories being scanned, as it's an attempt to display binary data as "text". If your protocol isn't a largely text-based protocol, Follow TCP Stream is useful only as a quick way to filter the display (run Follow TCP Stream and then close the Follow TCP Stream window).

In that example, what you want is something very different from Follow TCP Stream; either you want a display that shows, in a separate window, some or all of the dissection at the SMB layer, or you want a way to show, in the main window, SMB without some or all of the layers below it.

In your particular Modbus example, what exactly are you asking for?

(31 Aug '13, 13:51) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×29

question asked: 29 Aug '13, 07:46

question was seen: 3,135 times

last updated: 15 Dec '13, 01:31

p​o​w​e​r​e​d by O​S​Q​A