I'm trying to filter out a real large pcap file using tshark (I don't want to load that really large file in Wireshark) into a new pcap file. I'm filtering by rating group in Diameter but when it applies the filter over a reassembled PDU it seems that it only filters one of the segments of that PDU because when I open the new file, I find that in those frames belonging to reassembled PDU I only get Data over TCP instead of Diameter. Do you know how can I do to be able to extract all the segments which belong to the PDUs that match the filter?
For example when I filter in the filter tab I don't have the problem but when I extract the frames it found to a new file then I have this data problem :(
Thanks all in advance!
asked 18 Feb '16, 20:52
To get tshark to save "dependent" frames (i.e., frames that are required to properly dissect another frame due to, for example, reassembly) you need to give tshark the "-2" option in addition to the display filter.
Think of it this way: normally tshark makes a single pass through the capture file. In the case of reassembly if, for examples, frames 5, 7, and 9 are reassembled into a single upper-layer PDU then tshark won't know that it needs to display (or save) frames 5 and 7 until it's gotten to frame 9, finished the reassembly, and found that frame 9 passes the display filter. By enabling 2 passes tshark can see frames 5 and 7 again this time with the knowledge that they need to be displayed/saved (since they are required for frame 9 to pass the display filter).
answered 19 Feb '16, 06:12