I've seen a few questions about the [truncated] problem, but no good answers. I've tried both WireShark and tshark. I'd like to export http/xml data from a .pcapng file. Any format would be fine (I can manipulate raw bytes or whatever), but my requirements are that packets are reassembled (i.e. entire conversation), and that the data is not truncated. asked 23 Feb '16, 11:49  DennisR |
One Answer:
It might help if you were a bit more specific about what you'd like to export. For now I'll assume you want to export the entire http stream which would mean that the "-z follow" option to tshark would be ideal. Another answer also suggests using tcpflow. answered 25 Feb '16, 11:40  JeffMorriss ♦ |
Yes, I'd like to see the entire http stream. I tried tshark.exe" -r "myfile.pcapng" -z follow and it complained: tshark: Invalid -z argument "follow"; it must be one of: ... (I also tried "-z follow.tcp" and got the same error)
I looked into tcpflow. I had to editcap convert from pcapng to pcap, and and deal with the thousands of files tcpflow generates, but I think this will work. Thanks.
What version of Wireshark/tshark are you using? Does "-z follow" show up in the man page/help (tshark -z help)? It may be the version you're using is too old (pre-1.8?!?).
Note that it's "follow,tcp", not "follow.tcp".