I am trying to save TCP Stream data (from the Follow TCP Stream window). When I have done so in the past, it asks for a single output file and saves the data there. I am trying to do so currently and when I enter a file name, it saves out data (it appears to be all of it) and then asks for another file name. I tried entering this other file name, and it saves another file and then asks again for a file name. I cancelled out at that point. My questions is why is this happening and how do I fix it if it's an error? Note: the TCP stream in question includes a partial file. Edit: I just noticed that output files are consistently 33K, while the file I'm trying to save is much larger. Do I have to save out many files and stitch them together, or is there a way to save it out together? Thanks. asked 19 Sep '13, 09:32  aring3 edited 19 Sep '13, 09:36 showing 5 of 11 show 6 more comments |
One Answer:
Oops. I can confirm that behavior for HTTP and raw on WinXP, Wireshark 1.10.2. That behavior is not in 1.8.x and 1.9.x. Furthermore, "Follow TCP stream" does not show the whole bytes of the conversation. Looks like a bug to me. Please file a bug report at https://bugs.wireshark.org with detailed information and a reference to this question. Tested with the following file: http://cloudshark.org/captures/a6a0b45e27b4 Output of Follow TCP Stream, although there is much more date in the conversation. The drop-down menu shows the amount of bytes.
Regards answered 20 Sep ‘13, 07:55  Kurt Knochner ♦ edited 20 Sep ‘13, 08:04 OK, I can confirm the problem on Windows 7 64 using that capture file. Thanks. (And sorry for moving your answer to a comment - you quoted OP and I mistakenly thought OP had incorrectly posted his comment as an answer). (20 Sep ‘13, 08:01) cmaynard ♦♦
never mind. (20 Sep ‘13, 08:05) Kurt Knochner ♦ Filed. Thanks. I’ll grab an older version for now. Edit: For the records. Bug 9170 (20 Sep ‘13, 08:15) aring3 |
Which version of Wireshark are you using?
Can you describe in more detail exactly what you're doing, or confirm that you are doing the following:
Yes, that is the order of steps I am taking.
what is your OS and Wireshark version??
Sorry for the delay... Windows 8, Wireshark: Version 1.10.2 (SVN Rev 51934 from /trunk-1.10)
What is the output of
tshark -v?maybe related to that. 1.10.2 does not show that behavior on WinXP and Win7. Some further questions:
TShark 1.10.2 (SVN Rev 51934 from /trunk-1.10)
Copyright 1998-2013 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP.
Running on 64-bit Windows 8, build 9200, without WinPcap. Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz, with 16280MB of physical memory.
Built using Microsoft Visual C++ 10.0 build 40219
Protocol: HTTP
Files Saved from 'Follow TCP Stream' window, set to Raw (only half of the conversation selected).
Like Kurt, I'm not running Windows 8 either, so if it's a Windows 8 64-bit specific problem, then it might be hard to determine the problem.
On the other hand, if it's data-related, then someone here might have a better chance at being able to help you. But that would require us having access to your capture file. Can you share the capture file on cloudshark (or somewhere else)?
So apparently that was a key piece of information that should have been provided in the steps above. The default is to save the entire conversation, not half of it. In any case, I can't reproduce this on either Windows 7 64 with trunk-52156 or 1.10.2. So, it could be data, OS and/or 32/64 related.
With the file posted in my answer, I can reproduce it on Win7 SP1 x64 and on WinXP SP3, both Wireshark 1.10.x