This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Follow TCP stream by layer

0

Hello,

I'm analyzing a 3-layer protocol (3 layers on top of tcp), and I use the "Follow TCP stream" a lot. This option, however, shows all data in layers above TCP. Is there a way to use "Follow TCP stream" without viewing all layers above TCP? Can I choose which layers appear?

Thanks

Nitay

asked 29 Aug '13, 07:46

nitay's gravatar image

nitay
11224
accept rate: 0%

2 Answers:

1

In my case - I need it for Modbus communication (Modbus commands on top of ModbusTCP comms - shows as different layers in Wireshark)

If you just need the Modbus fields in text form, you could try to use tshark

tshark -nr input.pcap -R "mbtcp" -T fields -E header=y -e frame.number -e ip.src -e ip.dst -e modbus.func_code -e modbus.data

Sample Output:

frame.number    ip.src  ip.dst  modbus.func_code        modbus.data
4       192.168.45.20   192.168.45.205  126     05:03:01:00:00:30
5       192.168.45.205  192.168.45.20   126     07:03:01:00:00:30:08:99
6       192.168.45.20   192.168.45.205  126     05:03:10:00:00:30
7       192.168.45.205  192.168.45.20   126
8       192.168.45.20   192.168.45.205  126     05:03:01:0f:ff:51
9       192.168.45.205  192.168.45.20   126     07:03:01:0f:ff:51:d2:21
10      192.168.45.20   192.168.45.205  126     05:03:08:00:01:51

See the docs for more Modbus fields

http://www.wireshark.org/docs/dfref/m/mbtcp.html

Regards
Kurt

answered 31 Aug '13, 15:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 31 Aug '13, 15:29

I'll try that, thanks! I think it could be nice to add a graphic feature that does exactly that though

(02 Sep '13, 02:04) nitay
1

I think it could be nice to add a graphic feature that does exactly that though

That feature is already there. Just add custom columns with the field names modbus.func_code and modbus.data

(02 Sep '13, 04:36) Kurt Knochner ♦

I mean, something that resembles the "Follow TCP Stream" screen

(08 Sep '13, 04:13) nitay

Modbus doesn't have the concept of beginning and ending a session unlike TCP so there is no "stream" to follow.

What is it you actually want to see that "resembles a TCP stream"?

(08 Sep '13, 07:23) grahamb ♦

I mean, something that resembles the "Follow TCP Stream" screen

Can you please add a sample pcap file and some information about the output you want to have?

(09 Sep '13, 01:54) Kurt Knochner ♦

I'm sorry for bringing this up again! It seems that the data for packets larger than ~70 bytes isn't being printed. Any idea why?

(12 Dec '13, 04:31) nitay

can you post a sample capture file somewhere (google drive, dropbox, cloudshark.org or mega.co.nz)?

(12 Dec '13, 04:52) Kurt Knochner ♦
showing 5 of 8 show 3 more comments

0

Is there a way to use "Follow TCP stream" without viewing all layers above TCP?

No, because "Follow TCP Stream" is intended to show all the bytes of the TCP segments, which means showing all the layers.

If you can more precisely specify what you want to see, a separate feature could perhaps be implemented to provide that.

answered 29 Aug '13, 15:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Okay, let's take SMB for example, which lies on NetBIOS session service, which runs on TCP. I'd like a way to follow the SMB data without viewing the NetBIOS "noise"

In my case - I need it for Modbus communication (Modbus commands on top of ModbusTCP comms - shows as different layers in Wireshark)

(31 Aug '13, 13:09) nitay

Okay, let's take SMB for example, which lies on NetBIOS session service, which runs on TCP. I'd like a way to follow the SMB data without viewing the NetBIOS "noise"

In Follow TCP Stream, that's all really noise, with the possible exception of text file blocks being read and written and directories being scanned, as it's an attempt to display binary data as "text". If your protocol isn't a largely text-based protocol, Follow TCP Stream is useful only as a quick way to filter the display (run Follow TCP Stream and then close the Follow TCP Stream window).

In that example, what you want is something very different from Follow TCP Stream; either you want a display that shows, in a separate window, some or all of the dissection at the SMB layer, or you want a way to show, in the main window, SMB without some or all of the layers below it.

In your particular Modbus example, what exactly are you asking for?

(31 Aug '13, 13:51) Guy Harris ♦♦