First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Option to control default follow stream view?

  • retag add tags

Is there an option to set the follow stream view to something other than ASCII by default?

I'm looking at a packet capture of traffic that involves sending multi-MB XML blobs, and the blobs have no newline characters in them. Even on a recent laptop, WireShark is very slow to parse the stream when viewed in ASCII mode, on the order of 4 packets per second. I assume this is because of inefficiencies in soft-word-wrapping code either in WireShark itself or the OS. The total amount of traffic is something like 65MB, so even after a few hours, WireShark wasn't done following the stream. It runs at a reasonable speed in Hex Dump mode, but until I figured out the workaround below, I didn't think I could use that because the "Show data as" dropdown is greyed out until the stream has been parsed.

This is the workaround I'm using in the meantime: follow a different, shorter stream first. Wait for it to finish parsing. Switch to Hex Dump view. Change the Stream ID in the stream viewer to the ID of the problematic stream.

blincoln's avatar
3
blincoln
asked 2021-06-30 20:56:15 +0000
edit flag offensive 0 remove flag close merge delete

Comments

On another note, would tshark -r <infile> -z "follow,tcp,ascii,#"(whare # is the flow number) be something useful for you?

Jaap's avatar Jaap (2021-07-01 05:54:55 +0000) edit
more
  • delete

I think the OP is looking for hex mode, so tshark -r <infile> -z "follow,tcp,hex,#"

grahamb's avatar grahamb (2021-07-01 07:58:46 +0000) edit
more
  • delete

Those are both very helpful as well. Thank you :).

blincoln's avatar blincoln (2021-07-05 17:31:16 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Currently it is hard coded in follow_stream_dialog.cpp to start in ASCII view.

FollowStreamDialog::FollowStreamDialog(QWidget &parent, CaptureFile &cf, follow_type_t type) :
    WiresharkDialog(parent, cf),
    ui(new Ui::FollowStreamDialog),
    b_find_(NULL),
    follow_type_(type),
    follower_(NULL),
    show_type_(SHOW_ASCII),   <-********
    truncated_(false),


If extracting with tshark doesn't work out, you could open an enhancement request to configure
the Show data as value as a Wireshark preference and/or recent.

Chuckc's avatar
3k
Chuckc
answered 2021-07-01 16:27:26 +0000
edit flag offensive 0 remove flag delete link
more

Comments

#15963: "Follow UDP Stream" "Show and save data as" ASCII is default. Preference option necessary as Raw

Chuckc's avatar Chuckc (2021-07-05 13:52:53 +0000) edit
more
  • delete

Thank you :).

blincoln's avatar blincoln (2021-07-05 17:30:35 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer