First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

display filter mismatch for writing files

Hi There

Im trying to reduce large cap files for detailed analysis in tshark in this case want to filter out all http requests or responses so using -r in.file -Y "http.request or http.response" -w out.file

before filter ing the packets out I was counting in the raw file the number of http.requests - assuming that same number will appear in the filtered output files but the number in the new out.file is only 60% compared to the in.file - so this seems not reliable process I thought my -Y filter with "OR" may be a problem and tried a single condition (http.request) but same result any hints what I did wrong ? thanks in advance

===

Merged in from your other question:

hi there im using tshark to filter out http response packets I find 2 option using as filter - http.response - and http.response.code I assume that where a http.response code is - this will be a http.response too surprised finding that number of packets with filter "http.response.code" are usually 25% more than with just "http.response" as filter Im using z io,stat for counting the hits and repeated tests several time always same result using shark 2.6.3 would be glad for any hint

adiedrich's avatar
1
adiedrich
asked 2019-09-24 16:32:26 +0000
SYN-bit's avatar
18.5k
SYN-bit
updated 2019-09-24 21:59:23 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Wireshark, by default, reassembles PDUs of higher layer protocols like HTTP. In case of http requests and responses, many of them are sent in multiple packets as they do not fit in one packet. When saving the packets after filtering with tshark, only the packets with the last part of the HTTP request or response gets saved to the file. When you reread that file, Wireshark does not recognize the request or response as it is missing the first part.

One way to solve this is to make tshark save the missing pieces by using two-pass filtering. You can do this with:

tshark -2 -r in.file -w out.file -Y "http.request or http.response"

But since all the packets that make up the request or the response are now saved, you will still have large files. If you are only interested in the first packet of the requests and responses, you can disable reassembly. In this case you also need to disable reassembly when re-reading the new file or otherwise tshark/wireshark will try to do reassembly and fail and so it will not show the packets as http. The workflow would be:

tshark -o tcp.desegment_tcp_streams:FALSE -r in.file -w out.file -Y "http.request or http.response"
tshark -o tcp.desegment_tcp_streams:FALSE -r out.file

Or when reading the new file in Wireshark, make sure you disable reassembly in the TCP protocol preferences.

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-09-24 21:54:19 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer