Hello, I'm analyzing a 3-layer protocol (3 layers on top of tcp), and I use the "Follow TCP stream" a lot. This option, however, shows all data in layers above TCP. Is there a way to use "Follow TCP stream" without viewing all layers above TCP? Can I choose which layers appear? Thanks Nitay asked 29 Aug '13, 07:46 nitay |
2 Answers:
If you just need the Modbus fields in text form, you could try to use tshark
Sample Output:
See the docs for more Modbus fields Regards answered 31 Aug '13, 15:26 Kurt Knochner ♦ edited 31 Aug '13, 15:29 showing 5 of 8 show 3 more comments |
No, because "Follow TCP Stream" is intended to show all the bytes of the TCP segments, which means showing all the layers. If you can more precisely specify what you want to see, a separate feature could perhaps be implemented to provide that. answered 29 Aug '13, 15:03 Guy Harris ♦♦ Okay, let's take SMB for example, which lies on NetBIOS session service, which runs on TCP. I'd like a way to follow the SMB data without viewing the NetBIOS "noise" In my case - I need it for Modbus communication (Modbus commands on top of ModbusTCP comms - shows as different layers in Wireshark) (31 Aug '13, 13:09) nitay
In Follow TCP Stream, that's all really noise, with the possible exception of text file blocks being read and written and directories being scanned, as it's an attempt to display binary data as "text". If your protocol isn't a largely text-based protocol, Follow TCP Stream is useful only as a quick way to filter the display (run Follow TCP Stream and then close the Follow TCP Stream window). In that example, what you want is something very different from Follow TCP Stream; either you want a display that shows, in a separate window, some or all of the dissection at the SMB layer, or you want a way to show, in the main window, SMB without some or all of the layers below it. In your particular Modbus example, what exactly are you asking for? (31 Aug '13, 13:51) Guy Harris ♦♦ |
I'll try that, thanks! I think it could be nice to add a graphic feature that does exactly that though
That feature is already there. Just add custom columns with the field names modbus.func_code and modbus.data
I mean, something that resembles the "Follow TCP Stream" screen
Modbus doesn't have the concept of beginning and ending a session unlike TCP so there is no "stream" to follow.
What is it you actually want to see that "resembles a TCP stream"?
Can you please add a sample pcap file and some information about the output you want to have?
I'm sorry for bringing this up again! It seems that the data for packets larger than ~70 bytes isn't being printed. Any idea why?
can you post a sample capture file somewhere (google drive, dropbox, cloudshark.org or mega.co.nz)?
Converted into its own question: http://ask.wireshark.org/questions/28050/tshark-doesnt-display-the-longer-data-fields-mbtcp