This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

search for truncated text

0

OK, sometimes when I search for packets which contain text data I find that the text data is truncated. How do I set the filter to find only truncated text data (if it is possible)? I tried something like this: data-text-lines contains "truncated" , but didn't get any result.

asked 25 Apr '14, 05:33

myrddin's gravatar image

myrddin
117810
accept rate: 0%

edited 25 Apr '14, 05:33


One Answer:

0

How do I set the filter to find only truncated text data (if it is possible)?

You can't because "truncated" only has a meaning in the human brain, as you can detect that something in a text is probably missing. There is no way to do that with Wireshark, and it's a pretty hard AI problem (artificial intelligence) to detect such a thing in general.

But maybe I misunderstand your definition of "truncated data". If so, please add more details or even better a sample capture file with truncated data/text and one without.

Regards
Kurt

answered 26 Apr '14, 11:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks for the answer. Yes I think you understood well, I just wanted to search all Line-based text data fields (data-text-lines) of captured packets and to filter only those that have [truncated] in them (in front of some text). Something like [truncated] some text

OK it doesn't matter, I asked this more out of curiosity as I tried to filter them out, but couldn't. Thanks again, bye

(27 Apr '14, 12:58) myrddin

wait a moment... Is [truncated] a text pattern in your data, or something you see in the Wireshark GUI (which does exist in some situations)?

Example: if a HTTP request is too long, it will be shown as

[truncated] GET /some_very_very_very_very_very_very_very_very_

If it's that you are asking for, the answer to your question is: You cannot filter for those '[truncated]' messages, as that's just a marker in the GUI to tell the user that there was a very long string that did not fit into some internal buffer.

That's nothing you need to be worried about. It's just a limitation in displaying data in some situations. Nothing in the frame itself will be truncated in any way.

(27 Apr '14, 13:08) Kurt Knochner ♦