Hi, I am a total newb wireshark user. Downloaded to monitor traffic on home network to protect kids. I am trying to view images that are flowing though the server. The relevant protocol settings (that are enabled by default anyway, on current version - 1.10) are enabled to allow reassembly (TCP/HTTP). However when I go to Edit > Export Objects > HTTP - the image files are always broken into 'packets' usually of 1460 byte size. All the tutorials I have seen and read suggest that this window should display complete, reassembled files ready to be saved and viewed. Am I missing something? Thanks in advance, N asked 08 Jun '14, 22:09  wakingwoken |
One Answer:
That usually only happens if "Allow subdissector to reassemble TCP streams" is not activated in the TCP protocol preferences. If you are sure that you have the reassembly enabled for TCP then this looks like a bug to me, unless your capture has a different problem. What you could do is to try and see if Network Miner works with your trace file - if it does, it should be working with Wireshark, too. The free edition only reads pcap formatted files, so if yours is a pcapng file you need to save it in Wireshark as pcap first. answered 09 Jun '14, 03:44  Jasper ♦♦ |
Thanks for the reply.
TCP is enabled.
I should mention I am running RPCAPD on Tomato firmware to enable this capture. Could this have anything to do with it?
...and yes, pcap file works in Network Minor - images display without any fiddly extracting. so easy. Maybe I'll just use NM - did in 2 mins what i've been trying to do for hours in Wireshark!
Go ahead then - Wireshark is great for network analysis, but some specialized tools like NM may work better in certain situations. Still a bit strange that reassembly doesn't seem to work for you...
Well from a brief look, NM cant capture via rpcapd, so i guess i'll be using both, unless Wireshark sorts itself out with a fresh install. Thanks for your help!