 | 1 | initial version |
I suspect that somehow your Wireshark is using a different profile than your tshark (normally tshark should be using the last used Wireshark profile when run on the same system). As protocol preferences can have a big impact on dissection, I tried the preference tcp.reassemble_out_of_order:TRUE and got over 600 packets as a result, so I guess that setting is enabled when you run Wireshark, but is disabled when you run Tshark:
$ tshark -2 -r pan.baidu.com_10.pcapng -o tcp.reassemble_out_of_order:TRUE -o tls.desegment_ssl_records:TRUE -o tls.desegment_ssl_application_data:TRUE -o tls.keylog_file:keylog.txt -Y "tcp.stream eq 9 and http2" | wc -l
630
$