1 | initial version |
Wireshark, by default, reassembles PDUs of higher layer protocols like HTTP. In case of http requests and responses, many of them are sent in multiple packets as they do not fit in one packet. When saving the packets after filtering with tshark, only the packets with the last part of the HTTP request or response gets saved to the file. When you reread that file, Wireshark does not recognize the request or response as it is missing the first part.
One way to solve this is to make tshark save the missing pieces by using two-pass filtering. You can do this with:
tshark -2 -r in.file -w out.file -Y "http.request or http.response"
But since all the packets that make up the request or the response are now saved, you will still have large files. If you are only interested in the first packet of the requests and responses, you can disable reassembly. In this case you also need to disable reassembly when re-reading the new file or otherwise tshark/wireshark will try to do reassembly and fail and so it will not show the packets as http. The workflow would be:
tshark -o tcp.desegment_tcp_streams:FALSE -r in.file -w out.file -Y "http.request or http.response"
tshark -o tcp.desegment_tcp_streams:FALSE -r out.file
Or when reading the new file in Wireshark, make sure you disable reassembly in the TCP protocol preferences.