This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am trying to decode a specific packet that has some lines which are long and they get truncated. I read that tshark/wireshark is compiled to have a limit of 240 characters per decode line. I see the same result using tshark or wireshark.

https://www.wireshark.org/lists/wireshark-users/201003/msg00155.html

These posts were many years ago and I wanted to know if there is an option now to not truncate lines?

The options I am passing now to tshark are: -V -r <file name=""> -Y frame.number==<packet number="">

Exmaple decode line looks like: [truncated]Authorization: Digest username="[email protected]",realm="one.www.net",nonce="55555l7kWjxkV1fRgv5555a4Vw7b5555xef5Vr5555=",algorithm=A5555-MD5,uri="sip:one.www.net",response="e900a34a51b2d183ce3f74dc59090b41",qop

I would like to use the official wireshark release and not have to recompile my own.

Thanks in advance for any help, Scott

asked 09 Jun '15, 19:27

jedimcclain's gravatar image

jedimcclain
6112
accept rate: 0%


is compiled to have a limit of 240 characters per decode line.

Yes, that's correct. See my answer to a similar question.

https://ask.wireshark.org/questions/23218/display-data-in-raw

There is currently no way, to disable truncating, other than a code change.

What you can try is this.

tshark -nr input.pcap -T pdml

However, I'm not sure how "-T pdml" handles the "truncate problem".

Another option would be to print the frame in HEX and extract the information with a script

tshark -V -x -nr input.pcap

Regards
Kurt

permanent link

answered 10 Jun '15, 03:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

If there's a specific field or fields that you're interested in, then you can get the full, non-truncated output by using the -T fields option and specifying each field of interest with -e field1 -e field2 etc.

For example, I tested sending a very large syslog message and in Wireshark, if I select the truncated message, I see in the lower status bar that the field name is syslog.msg. Therefore, if I want to see the frame number and complete message I sent, I can run tshark as follows:

tshark -nr syslog.pcap -Y "syslog" -T fields -e frame.number -e syslog.msg

I specified 2 fields here just to provide an example, but you can specify any number of fields that you might need. For more details on tshark usage, refer to the tshark man page.

permanent link

answered 10 Jun '15, 15:24

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142
accept rate: 20%

It then truncates individual fields. I'm using -Y websocket.payload -E occurrence=l -T fields -e text.

(02 Oct '17, 02:11) chip-devel
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×89
×13

question asked: 09 Jun '15, 19:27

question was seen: 9,178 times

last updated: 02 Oct '17, 02:11

p​o​w​e​r​e​d by O​S​Q​A