I am trying to decode a specific packet that has some lines which are long and they get truncated. I read that tshark/wireshark is compiled to have a limit of 240 characters per decode line. I see the same result using tshark or wireshark. https://www.wireshark.org/lists/wireshark-users/201003/msg00155.html These posts were many years ago and I wanted to know if there is an option now to not truncate lines? The options I am passing now to tshark are: -V -r <file name=""> -Y frame.number==<packet number=""> Exmaple decode line looks like: [truncated]Authorization: Digest username="[email protected]",realm="one.www.net",nonce="55555l7kWjxkV1fRgv5555a4Vw7b5555xef5Vr5555=",algorithm=A5555-MD5,uri="sip:one.www.net",response="e900a34a51b2d183ce3f74dc59090b41",qop I would like to use the official wireshark release and not have to recompile my own. Thanks in advance for any help, Scott asked 09 Jun '15, 19:27  jedimcclain |
2 Answers:
Yes, that's correct. See my answer to a similar question.
There is currently no way, to disable truncating, other than a code change. What you can try is this.
However, I'm not sure how "-T pdml" handles the "truncate problem". Another option would be to print the frame in HEX and extract the information with a script
Regards answered 10 Jun '15, 03:52  Kurt Knochner ♦ |
If there's a specific field or fields that you're interested in, then you can get the full, non-truncated output by using the For example, I tested sending a very large syslog message and in Wireshark, if I select the truncated message, I see in the lower status bar that the field name is I specified 2 fields here just to provide an example, but you can specify any number of fields that you might need. For more details on answered 10 Jun '15, 15:24  cmaynard ♦♦ |
It then truncates individual fields. I'm using
-Y websocket.payload -E occurrence=l -T fields -e text.