This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Want to use tshark to decode a specific packet and do not truncate lines

0

I am trying to decode a specific packet that has some lines which are long and they get truncated. I read that tshark/wireshark is compiled to have a limit of 240 characters per decode line. I see the same result using tshark or wireshark.

https://www.wireshark.org/lists/wireshark-users/201003/msg00155.html

These posts were many years ago and I wanted to know if there is an option now to not truncate lines?

The options I am passing now to tshark are: -V -r <file name=""> -Y frame.number==<packet number="">

Exmaple decode line looks like: [truncated]Authorization: Digest username="[email protected]",realm="one.www.net",nonce="55555l7kWjxkV1fRgv5555a4Vw7b5555xef5Vr5555=",algorithm=A5555-MD5,uri="sip:one.www.net",response="e900a34a51b2d183ce3f74dc59090b41",qop

I would like to use the official wireshark release and not have to recompile my own.

Thanks in advance for any help, Scott

asked 09 Jun '15, 19:27

jedimcclain's gravatar image

jedimcclain
6112
accept rate: 0%


2 Answers:

1

is compiled to have a limit of 240 characters per decode line.

Yes, that's correct. See my answer to a similar question.

https://ask.wireshark.org/questions/23218/display-data-in-raw

There is currently no way, to disable truncating, other than a code change.

What you can try is this.

tshark -nr input.pcap -T pdml

However, I'm not sure how "-T pdml" handles the "truncate problem".

Another option would be to print the frame in HEX and extract the information with a script

tshark -V -x -nr input.pcap

Regards
Kurt

answered 10 Jun '15, 03:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

1

If there's a specific field or fields that you're interested in, then you can get the full, non-truncated output by using the -T fields option and specifying each field of interest with -e field1 -e field2 etc.

For example, I tested sending a very large syslog message and in Wireshark, if I select the truncated message, I see in the lower status bar that the field name is syslog.msg. Therefore, if I want to see the frame number and complete message I sent, I can run tshark as follows:

tshark -nr syslog.pcap -Y "syslog" -T fields -e frame.number -e syslog.msg

I specified 2 fields here just to provide an example, but you can specify any number of fields that you might need. For more details on tshark usage, refer to the tshark man page.

answered 10 Jun '15, 15:24

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

It then truncates individual fields. I'm using -Y websocket.payload -E occurrence=l -T fields -e text.

(02 Oct '17, 02:11) chip-devel