Ask Your Question
0

Is there a way to show non truncated data with tshark without recompiling?

asked 2019-08-26 17:00:22 +0000

rspiege1 gravatar image

Has there been a feature added yet to T-Shark to allow you to see the full non-truncated payload of a message? In my case I am working with webscocket data that is compressed using permessage-deflate. I can decompress it, but it truncates the payload.

I'm aware that I can recompile tshark and modify the ITEM_LABEL_LENGTH in epan/proto.h, but I wanted to see if there was any other way this could be accomplished without recompiling tshark.

This is an example of the Tshark command I am running: tshark -r ~/Downloads/small.pcap -Y websocket.payload -Tfields -e frame.number -e frame.time -e text

Thanks

edit retag flag offensive close merge delete

Comments

Have you solved this issue?

doogers gravatar imagedoogers ( 2022-10-14 10:14:44 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-08-26 17:31:23 +0000

grahamb gravatar image

updated 2023-06-15 08:08:41 +0000

Guy Harris gravatar image

Enhancement request 14874 is looking for something user adjustable for use with the GUI, but if implemented would probably work in the CLI as well.

edit flag offensive delete link more

Comments

That request is talking about the items in the packet detail pane. It's not clear that, say, a line in a protocol tree view that's 100000 characters wide would be all that useful - that's a lot of scrolling* - but for somebody dumping that information out in a form possibly intended for machine consumption, such as -T fields output, perhaps there should be no limit.

That might require that the -T fields output be produced by different code from the protocol tree display code, but that's not necessarily a bad thing - what's useful for human consumption isn't necessarily what's useful for machine consumption.

Guy Harris gravatar imageGuy Harris ( 2019-08-26 19:06:11 +0000 )edit
0

answered 2021-11-30 22:16:15 +0000

fred82 gravatar image

I've developed my own tool to extract WebSocket frames from a pcap file, it works quite better than Wireshark. It's at https://www.npmjs.com/package/pcap-tc...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-08-26 17:00:22 +0000

Seen: 2,227 times

Last updated: Jun 15 '23