ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] tshark option for reassembled fragment output

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Sun, 3 Mar 2013 18:51:49 +0000 (UTC)
Hadriel Kaplan <HKaplan@...> writes:

> BTW, some output from that bug's pcap with your filter:
> 
> ./tshark -r testcapture.pcapng -R 'ip.src == 10.90.130.69 && ip.dst ==
10.90.130.66 && tcp.flags.push
> == 1'
>   5 0.001054000 0.000050000 10.90.130.69 -> 10.90.130.66 HTTP/XML POST
> /urreq/rrurreq.dll/?soaprequest HTTP/1.1 
> 
> ./tshark -r testcapture.pcapng -R 'ip.src == 10.90.130.69 && ip.dst ==
10.90.130.66 && tcp.flags.push
> == 1' -2
>   1 0.001054000 0.000000000 10.90.130.69 -> 10.90.130.66 HTTP/XML POST
> /urreq/rrurreq.dll/?soaprequest HTTP/1.1 
> 
> ./tshark -r testcapture.pcapng -Y 'ip.src == 10.90.130.69 && ip.dst ==
10.90.130.66 && tcp.flags.push
> == 1'
>   4 0.001004000 0.000886000 10.90.130.69 -> 10.90.130.66 TCP [TCP segment of a
reassembled PDU]
>   5 0.001054000 0.000050000 10.90.130.69 -> 10.90.130.66 HTTP/XML POST
> /urreq/rrurreq.dll/?soaprequest HTTP/1.1 
> 
> Note that last one is what my patch is doing with the '-Y' mode.  If this
replaces one of the current modes
> instead of being a new one, I'll make it stop printing the fragments out.  I
couldn't decide if it seemed odd
> or not to print them, but I figured if it was a new option to do this
reassembly thing anyway, that the user
> could just not use it if they were printing to stdout and din't want to see
the fragments.

I think there is a difference between displaying the packets matching the filter
and saving the packets matching the filter to another pcap file.  In the former
case, Wireshark does not display packets that don't match the display filter; I
think tshark should behave the same way.

Only when you save packets off to another pcap file do the dependencies also get
saved using Wireshark.  That's what I think tshark should do here as well.

And currently Wireshark does not allow you *NOT* to save those dependencies -
>From Jeff's commit message, "Also, this behavior is always the case: you can't
save the displayed packets without their dependencies (I don't see why this
would be desirable)."  So, tshark might as well act similarly.  I suggest
dispensing with the -Y option and just save all packet dependencies when using
the -2 and -w <outfile> options.  Displaying packets should not change.

I'm curious what Jeff thinks though since he wrote the code for Wireshark.
- Chris
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube