First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is there a way to show non truncated data with tshark without recompiling?

Has there been a feature added yet to T-Shark to allow you to see the full non-truncated payload of a message? In my case I am working with webscocket data that is compressed using permessage-deflate. I can decompress it, but it truncates the payload.

I'm aware that I can recompile tshark and modify the ITEM_LABEL_LENGTH in epan/proto.h, but I wanted to see if there was any other way this could be accomplished without recompiling tshark.

This is an example of the Tshark command I am running: tshark -r ~/Downloads/small.pcap -Y websocket.payload -Tfields -e frame.number -e frame.time -e text

Thanks

rspiege1's avatar
1
rspiege1
asked 2019-08-26 17:00:22 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Have you solved this issue?

doogers's avatar doogers (2022-10-14 10:14:44 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

Enhancement request 14874 is looking for something user adjustable for use with the GUI, but if implemented would probably work in the CLI as well.

grahamb's avatar
23.8k
grahamb
answered 2019-08-26 17:31:23 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2023-06-15 08:08:41 +0000
edit flag offensive 0 remove flag delete link
more

Comments

That request is talking about the items in the packet detail pane. It's not clear that, say, a line in a protocol tree view that's 100000 characters wide would be all that useful - that's a lot of scrolling* - but for somebody dumping that information out in a form possibly intended for machine consumption, such as -T fields output, perhaps there should be no limit.

That might require that the -T fields output be produced by different code from the protocol tree display code, but that's not necessarily a bad thing - what's useful for human consumption isn't necessarily what's useful for machine consumption.

Guy Harris's avatar Guy Harris (2019-08-26 19:06:11 +0000) edit
more
  • delete
add a comment see more comments
0

I've developed my own tool to extract WebSocket frames from a pcap file, it works quite better than Wireshark. It's at https://www.npmjs.com/package/pcap-tc...

fred82's avatar
1
fred82
answered 2021-11-30 22:16:15 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer