OK, sometimes when I search for packets which contain text data I find that the text data is truncated. How do I set the filter to find only truncated text data (if it is possible)? I tried something like this: data-text-lines contains "truncated" , but didn't get any result. asked 25 Apr '14, 05:33  myrddin edited 25 Apr '14, 05:33 |
One Answer:
You can't because "truncated" only has a meaning in the human brain, as you can detect that something in a text is probably missing. There is no way to do that with Wireshark, and it's a pretty hard AI problem (artificial intelligence) to detect such a thing in general. But maybe I misunderstand your definition of "truncated data". If so, please add more details or even better a sample capture file with truncated data/text and one without. Regards answered 26 Apr '14, 11:30  Kurt Knochner ♦ |
Thanks for the answer. Yes I think you understood well, I just wanted to search all Line-based text data fields (data-text-lines) of captured packets and to filter only those that have [truncated] in them (in front of some text). Something like [truncated] some text
OK it doesn't matter, I asked this more out of curiosity as I tried to filter them out, but couldn't. Thanks again, bye
wait a moment... Is [truncated] a text pattern in your data, or something you see in the Wireshark GUI (which does exist in some situations)?
Example: if a HTTP request is too long, it will be shown as
If it's that you are asking for, the answer to your question is: You cannot filter for those '[truncated]' messages, as that's just a marker in the GUI to tell the user that there was a very long string that did not fit into some internal buffer.
That's nothing you need to be worried about. It's just a limitation in displaying data in some situations. Nothing in the frame itself will be truncated in any way.