Hi , I have a pcap from which I filtered out using a display filter "(http.request or http.response) and not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission and not udp" and stored the resulting pcaps using -w option using tshark. when I open the saved pcap in wireshark some of the http response or requests packets are converted to http continuation packet. I can understand that it is indeed a part of the http response but is there a way to save the reassembled data information as well. asked 23 Jun '14, 22:27  guru_p edited 23 Jun '14, 22:34 |
One Answer:
The problem you're seeing is that the saved pcap file doesn't include all of the TCP segments that comprise the full HTTP messages - the "http continuation" packets are ones that wireshark can't successfully decode as HTTP, because some packets are missing. What exact command-line are you using for tshark? In particular, are you using the " You should be using the " (edited to add the " answered 24 Jun '14, 05:54  Hadriel edited 25 Jun '14, 10:43 |
Thanks for the reply
tshark -r "pcap file" -T fields -e frame.number -Y "(http.response or http.request) and not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission and not udp " -P -F pcap -w "writefile"; This is my exact command
Add the "
-2" option flag. This causes a second pass through the file, which is also required to save dependent frames. (I forgot that two-pass is not automatic with the-Y, which it used to be for a short time during development)@Hadriel, you should probably edit your answer to add the
-2flag so late comers don't have to read down into the comments.Thanks for the answer, It worked