Revision history [back]
From the Wireshark Developer's Guide:
Wireshark dissects packets in what it calls 'two-pass' dissection.
...
Wireshark later performs 'second pass' ad-hoc dissections on the packets that it needs data from. This enables Wireshark to fill in fields that require future knowledge, like the 'response in frame #' fields, and correctly calculate reassembly frame dependencies.
tshark does a single pass unless told to make a second pass with the -2 option:
-2
Perform a two-pass analysis. This causes TShark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, such as 'response in frame #' fields. Also permits reassembly frame dependencies to be calculated correctly.
>tshark -r http.cap -T fields -e frame.number -e http.request_in -e http.response_in -Y http 4 18 27 18 38 4 >tshark -r http.cap -2 -T fields -e frame.number -e http.request_in -e http.response_in -Y http 4 38 18 27 27 18 38 4
From the Wireshark Developer's Guide:
Wireshark dissects packets in what it calls 'two-pass' dissection.
...
Wireshark later performs 'second pass' ad-hoc dissections on the packets that it needs data from. This enables Wireshark to fill in fields that require future knowledge, like the 'response in frame #' fields, and correctly calculate reassembly frame dependencies.
tshark does a single pass unless told to make a second pass with the -2 option:
-2
Perform a two-pass analysis. This causes TShark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, such as 'response in frame #' fields. Also permits reassembly frame dependencies to be calculated correctly.
>tshark -r http.cap -T fields -e frame.number -e http.request_in -e http.response_in -Y http 4 18 27 18 38 4 >tshark -r http.cap-2-T fields -e frame.number -e http.request_in -e http.response_in -Yhttphttp -2 4 38 18 27 27 18 38 4