This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Failed to export HTTP objects from an export-PDU file

1

After I decrypted the SSL session in a capture file and saved the decrypted data to a new pcap file by "export PDUs to file" function, I was failed to export the HTTP objects from the export-PDU file. Seems wireshark doesn't reassemble the HTTP payload. Is there any way I can export the complete http objects from this export-PDU file?

The output of tshark when reading this export-PDU file:

tshark -r export_PDU.pcap

 1 0.000000000 230  10.140.8.27 → 10.79.46.117 HTTP GET /wiresharkdoc.ico HTTP/1.1  exported_pdu:http
    2 0.002855000 348 10.79.46.117 → 10.140.8.27  HTTP HTTP/1.1 200 OK  exported_pdu:http
    3 0.002855000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
    4 0.002930000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
    5 0.002939000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
    6 0.002941000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
    7 0.002943000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
    8 0.002945000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
    9 0.005285000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   10 0.005285000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   11 0.005291000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   12 0.005292000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   13 0.005758000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   14 0.005758000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   15 0.005959000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   16 0.006866000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   17 0.006902000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   18 0.006909000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   19 0.006911000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   20 0.008352000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   21 0.008366000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   22 0.008426000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   23 0.010263000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   24 0.010309000 16456 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data
   25 0.010320000 12150 10.79.46.117 → 10.140.8.27  HTTP Continuation exported_pdu:http:data

asked 24 Jul '17, 06:50

Frank%20Lin's gravatar image

Frank Lin
26226
accept rate: 0%

edited 24 Jul '17, 06:57

What Wireshark version did you use? Can you reproduce it with 2.4 which was released some days ago?

(24 Jul '17, 20:47) Lekensteyn

I used the latest Wireshark version 2.4.

tshark -v

TShark (Wireshark) 2.4.0 (v2.4.0)

Thank you for looking into this.

(25 Jul '17, 02:43) Frank Lin

You can find the capture file that I use from the link below:

https://1drv.ms/f/s!AnBHC0wl8DZ9eFVwAEuvDMjbFoM

(25 Jul '17, 02:53) Frank Lin

Confirmed and I have an idea where it goes wrong. Can you file a bug about it and attach the pcap / steps to reproduce?

(25 Jul '17, 08:25) Lekensteyn
1

Sure. I have filed a bug as below.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13918

Could you send me the Pull Request to fix this bug when it's done. I can merge the fix and rebuild wireshark locally.

Many thanks in advance.

(25 Jul '17, 19:16) Frank Lin