This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Saving TCP Stream data asks for multiple output files

0

I am trying to save TCP Stream data (from the Follow TCP Stream window). When I have done so in the past, it asks for a single output file and saves the data there. I am trying to do so currently and when I enter a file name, it saves out data (it appears to be all of it) and then asks for another file name. I tried entering this other file name, and it saves another file and then asks again for a file name. I cancelled out at that point. My questions is why is this happening and how do I fix it if it's an error?

Note: the TCP stream in question includes a partial file.

Edit: I just noticed that output files are consistently 33K, while the file I'm trying to save is much larger. Do I have to save out many files and stitch them together, or is there a way to save it out together?

Thanks.

asked 19 Sep '13, 09:32

aring3's gravatar image

aring3
6114
accept rate: 0%

edited 19 Sep '13, 09:36

Which version of Wireshark are you using?

Can you describe in more detail exactly what you're doing, or confirm that you are doing the following:

  • Right-click: Follow TCP Stream (containing a partial file)
  • From the "Follow TCP Stream" window, SaveAs: <somefile>
  • At this point you are asked for another filename?
(19 Sep '13, 11:40) cmaynard ♦♦

Yes, that is the order of steps I am taking.

(19 Sep '13, 13:27) aring3

what is your OS and Wireshark version??

(20 Sep '13, 00:48) Kurt Knochner ♦

Sorry for the delay... Windows 8, Wireshark: Version 1.10.2 (SVN Rev 51934 from /trunk-1.10)

(20 Sep '13, 07:18) aring3

What is the output of tshark -v?

(20 Sep '13, 07:28) cmaynard ♦♦

Windows 8 Wireshark:

maybe related to that. 1.10.2 does not show that behavior on WinXP and Win7. Some further questions:

  • What was the protocol in use
  • How did you save the file (raw, ascii, etc.)
(20 Sep '13, 07:33) Kurt Knochner ♦

TShark 1.10.2 (SVN Rev 51934 from /trunk-1.10)

Copyright 1998-2013 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP.

Running on 64-bit Windows 8, build 9200, without WinPcap. Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz, with 16280MB of physical memory.

Built using Microsoft Visual C++ 10.0 build 40219

(20 Sep '13, 07:33) aring3

Protocol: HTTP

Files Saved from 'Follow TCP Stream' window, set to Raw (only half of the conversation selected).

(20 Sep '13, 07:36) aring3

Like Kurt, I'm not running Windows 8 either, so if it's a Windows 8 64-bit specific problem, then it might be hard to determine the problem.

On the other hand, if it's data-related, then someone here might have a better chance at being able to help you. But that would require us having access to your capture file. Can you share the capture file on cloudshark (or somewhere else)?

(20 Sep '13, 07:43) cmaynard ♦♦

So apparently that was a key piece of information that should have been provided in the steps above. The default is to save the entire conversation, not half of it. In any case, I can't reproduce this on either Windows 7 64 with trunk-52156 or 1.10.2. So, it could be data, OS and/or 32/64 related.

(20 Sep '13, 07:55) cmaynard ♦♦

I can't reproduce this on either Windows 7 64 with trunk-52156 or 1.10.2. So, it could be data, OS and/or 32/64 related.

With the file posted in my answer, I can reproduce it on Win7 SP1 x64 and on WinXP SP3, both Wireshark 1.10.x

(20 Sep '13, 08:00) Kurt Knochner ♦
showing 5 of 11 show 6 more comments

One Answer:

2

Protocol: HTTP
Files Saved from 'Follow TCP Stream' window, set to Raw (only half of the conversation selected).

Oops. I can confirm that behavior for HTTP and raw on WinXP, Wireshark 1.10.2. That behavior is not in 1.8.x and 1.9.x. Furthermore, "Follow TCP stream" does not show the whole bytes of the conversation. Looks like a bug to me. Please file a bug report at https://bugs.wireshark.org with detailed information and a reference to this question.

Tested with the following file: http://cloudshark.org/captures/a6a0b45e27b4

Output of Follow TCP Stream, although there is much more date in the conversation. The drop-down menu shows the amount of bytes.

alt text

GET /questions/24959/saving-tcp-stream-data-asks-for-multiple-output-files?page=1&focusedAnswerId=25040 HTTP/1.1
Host: ask.wireshark.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ask.wireshark.org/questions/24959/saving-tcp-stream-data-asks-for-multiple-output-files
Cookie: csrftoken=590805e894346483607ff267f0f3060e; __utma=87653150.789311463.1341826171.1379663512.1379686799.123; __utmz=87653150.1379663512.122.84.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __utma=46672567.1970875656.1349803632.1379674521.1379684705.1311; __utmz=46672567.1378213091.1245.47.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); sessionid=b983c963ccf227d4cdec86c982ac8ac3; __cfduid=de27e1d8844e9eaaa9784a06947ed363b1371810007; cf_retry=1373864693631; greeting_set=True; __utmc=87653150; __utmc=46672567; __utmb=46672567.57.10.1379684705; __utmb=87653150.9.10.1379686799
Connection: keep-alive
Cache-Control: max-age=0

HTTP/1.1 200 OK Server: cloudflare-nginx Date: Fri, 20 Sep 2013 14:44:12 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Cookie,Accept-Encoding Set-Cookie: csrftoken=590805e894346483607ff267f0f3060e; expires=Fri, 19-Sep-2014 14:44:11 GMT; Max-Age=31449600; Path=/ X-Frame-Options: SAMEORIGIN CF-RAY: b0f4ad1f4df01b0 Content-Encoding: gzip

Regards
Kurt

answered 20 Sep ‘13, 07:55

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 20 Sep ‘13, 08:04

OK, I can confirm the problem on Windows 7 64 using that capture file. Thanks. (And sorry for moving your answer to a comment - you quoted OP and I mistakenly thought OP had incorrectly posted his comment as an answer).

(20 Sep ‘13, 08:01) cmaynard ♦♦

And sorry for moving your answer to a comment -

never mind.

(20 Sep ‘13, 08:05) Kurt Knochner ♦

Filed. Thanks. I’ll grab an older version for now.

Edit: For the records. Bug 9170

(20 Sep ‘13, 08:15) aring3