Pyshark and Wireshark show different views of HTTP2 layer

  • retag add tags

I'm trying to programmably export jpegs using Pyshark. My problem is that I cannot identify the final http2 packet containing the jpeg in Pyshark, even though I can see that it is there in Wireshark.

Wireshark view: link text

Pyshark view: https://preview.redd.it/70vlaaayzyp61...

Wireshark shows an HTTP2 section with two streamids, 51 and 55. The jpeg is where I expect it to be under streamid 55.

Pyshark only shows one streamid, 51. I can poke around and find that the jpeg from streamid 55 is in this layer, but programatically, I have no way of knowing that it is there, since there is nothing to indicate that this layer contains data from streamid 55. As you can see, the End of Stream flag is not set in Pyshark either.

How does Wireshark create the correct view of the stream, while Pyshark does not? Is this to be expected or is a bug? Can anyone think of a way for me to deal with this?

Thanks.

Brad's avatar
1
Brad
asked 2021-05-08 16:13:13 +0000
edit flag offensive 0 remove flag close merge delete

Comments

pyshark is a wrapper for tshark.
Have you verified that tshark and wireshark are the same version?
Can you recreate the issue in tshark? (easier to diagnose without the Python layer)

Chuckc's avatar Chuckc (2021-05-08 16:36:26 +0000) edit
more
  • delete

Perhaps you need to run tshark with the two pass parameter.

Anders's avatar Anders (2021-05-08 21:04:51 +0000) edit
more
  • delete
add a comment see more comments