This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

-w options changing the packet(not giving all the details)

0

Hi , I have a pcap from which I filtered out using a display filter "(http.request or http.response) and not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission and not udp" and stored the resulting pcaps using -w option using tshark.

when I open the saved pcap in wireshark some of the http response or requests packets are converted to http continuation packet. I can understand that it is indeed a part of the http response but is there a way to save the reassembled data information as well.

asked 23 Jun '14, 22:27

guru_p's gravatar image

guru_p
11113
accept rate: 0%

edited 23 Jun '14, 22:34


One Answer:

1

The problem you're seeing is that the saved pcap file doesn't include all of the TCP segments that comprise the full HTTP messages - the "http continuation" packets are ones that wireshark can't successfully decode as HTTP, because some packets are missing.

What exact command-line are you using for tshark? In particular, are you using the "-R" or the "-Y" option for the "(http.request or http.response) and not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission and not udp" filter?

You should be using the "-Y" option as well as the "-2" option flag, as that will make it include the dependent frames and perform two-pass analysis, so it will save all of the TCP segments necessary to decode the HTTP messages. The "-R" does not include dependent frames.

(edited to add the "-2" flag as well)

answered 24 Jun '14, 05:54

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

edited 25 Jun '14, 10:43

Thanks for the reply

tshark -r "pcap file" -T fields -e frame.number -Y "(http.response or http.request) and not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission and not udp " -P -F pcap -w "writefile"; This is my exact command

(24 Jun '14, 22:03) guru_p

Add the "-2" option flag. This causes a second pass through the file, which is also required to save dependent frames. (I forgot that two-pass is not automatic with the -Y, which it used to be for a short time during development)

(25 Jun '14, 09:49) Hadriel
1

@Hadriel, you should probably edit your answer to add the -2 flag so late comers don't have to read down into the comments.

(25 Jun '14, 10:16) grahamb ♦

Thanks for the answer, It worked

(25 Jun '14, 21:55) guru_p