This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Does TShark reassemble fragmented packets

0

This is my first project where I'm dealing with analyzing network traffic so bare with me.

I'm trying to analyze some TCP data that is normally fragmented into several frames due to the size. I know WireShark has the ability to reassemble the frames for me, does TShark have this same ability? I don't want to start down the path of using TShark if it can't do this.

Thanks Ed

asked 05 Nov '14, 05:52

EdDickens's gravatar image

EdDickens
11224
accept rate: 0%


One Answer:

1

The dissection "engine" is shared between Wireshark (the GUI application) and tshark (the command line application). Both applications also read the same configuration file, e.g. for reassembly settings, so there should be no difference in behaviour.

answered 05 Nov '14, 06:05

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks Graham.

So as long as the option to reassemble is turned on in Wireshark, TShark will do the same.

(05 Nov '14, 06:27) EdDickens
1

Yep, although you'll have to work a little harder in tshark to control the field output.

(05 Nov '14, 06:54) grahamb ♦

That's my next task. Figuring out capture and display filtering.

Thanks again

(05 Nov '14, 06:57) EdDickens

Filtering syntax is the same for both applications (noting that capture and display filters do have a different syntax), although tshark has two display filter options; -R and -Y.

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(05 Nov '14, 07:11) grahamb ♦