Ask Your Question
0

Is there a way to show non truncated data with tshark without recompiling?

asked 2019-08-26 17:00:22 +0000

rspiege1 gravatar image

Has there been a feature added yet to T-Shark to allow you to see the full non-truncated payload of a message? In my case I am working with webscocket data that is compressed using permessage-deflate. I can decompress it, but it truncates the payload.

I'm aware that I can recompile tshark and modify the ITEM_LABEL_LENGTH in epan/proto.h, but I wanted to see if there was any other way this could be accomplished without recompiling tshark.

This is an example of the Tshark command I am running: tshark -r ~/Downloads/small.pcap -Y websocket.payload -Tfields -e frame.number -e frame.time -e text

Thanks

edit retag flag offensive close merge delete

Comments

Have you solved this issue?

doogers gravatar imagedoogers ( 2022-10-14 10:14:44 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-08-26 17:31:23 +0000

grahamb gravatar image

updated 2023-06-15 08:08:41 +0000

Guy Harris gravatar image

Enhancement request 14874 is looking for something user adjustable for use with the GUI, but if implemented would probably work in the CLI as well.

edit flag offensive delete link more

Comments

That request is talking about the items in the packet detail pane. It's not clear that, say, a line in a protocol tree view that's 100000 characters wide would be all that useful - that's a lot of scrolling* - but for somebody dumping that information out in a form possibly intended for machine consumption, such as -T fields output, perhaps there should be no limit.

That might require that the -T fields output be produced by different code from the protocol tree display code, but that's not necessarily a bad thing - what's useful for human consumption isn't necessarily what's useful for machine consumption.

Guy Harris gravatar imageGuy Harris ( 2019-08-26 19:06:11 +0000 )edit
add a comment
0

answered 2021-11-30 22:16:15 +0000

fred82 gravatar image

I've developed my own tool to extract WebSocket frames from a pcap file, it works quite better than Wireshark. It's at https://www.npmjs.com/package/pcap-tc...

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-08-26 17:00:22 +0000

Seen: 1,687 times

Last updated: Jun 15 '23

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2