This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Export xml data - Any workaround for [truncated]?

0

I've seen a few questions about the [truncated] problem, but no good answers. I've tried both WireShark and tshark. I'd like to export http/xml data from a .pcapng file. Any format would be fine (I can manipulate raw bytes or whatever), but my requirements are that packets are reassembled (i.e. entire conversation), and that the data is not truncated.

asked 23 Feb '16, 11:49

DennisR's gravatar image

DennisR
6224
accept rate: 0%


One Answer:

0

It might help if you were a bit more specific about what you'd like to export. For now I'll assume you want to export the entire http stream which would mean that the "-z follow" option to tshark would be ideal.

Another answer also suggests using tcpflow.

answered 25 Feb '16, 11:40

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Yes, I'd like to see the entire http stream. I tried tshark.exe" -r "myfile.pcapng" -z follow and it complained: tshark: Invalid -z argument "follow"; it must be one of: ... (I also tried "-z follow.tcp" and got the same error)

I looked into tcpflow. I had to editcap convert from pcapng to pcap, and and deal with the thousands of files tcpflow generates, but I think this will work. Thanks.

(25 Feb '16, 15:11) DennisR

What version of Wireshark/tshark are you using? Does "-z follow" show up in the man page/help (tshark -z help)? It may be the version you're using is too old (pre-1.8?!?).

Note that it's "follow,tcp", not "follow.tcp".

(25 Feb '16, 16:09) JeffMorriss ♦