Ask Your Question
0

Is there a way to show non truncated data with tshark without recompiling?

asked 2019-08-26 17:00:22 +0000

Has there been a feature added yet to T-Shark to allow you to see the full non-truncated payload of a message? In my case I am working with webscocket data that is compressed using permessage-deflate. I can decompress it, but it truncates the payload.

I'm aware that I can recompile tshark and modify the ITEM_LABEL_LENGTH in epan/proto.h, but I wanted to see if there was any other way this could be accomplished without recompiling tshark.

This is an example of the Tshark command I am running: tshark -r ~/Downloads/small.pcap -Y websocket.payload -Tfields -e frame.number -e frame.time -e text

Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-08-26 17:31:23 +0000

grahamb gravatar image

Enhancement request 14874 is looking for something user adjustable for use with the GUI, but if implemented would probably work in the CLI as well.

edit flag offensive delete link more

Comments

That request is talking about the items in the packet detail pane. It's not clear that, say, a line in a protocol tree view that's 100000 characters wide would be all that useful - that's a lot of scrolling* - but for somebody dumping that information out in a form possibly intended for machine consumption, such as -T fields output, perhaps there should be no limit.

That might require that the -T fields output be produced by different code from the protocol tree display code, but that's not necessarily a bad thing - what's useful for human consumption isn't necessarily what's useful for machine consumption.

Guy Harris gravatar imageGuy Harris ( 2019-08-26 19:06:11 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-08-26 17:00:22 +0000

Seen: 26 times

Last updated: Aug 26