Ask Your Question
0

display filter mismatch for writing files

asked 2019-09-24 16:32:26 +0000

updated 2019-09-24 21:59:23 +0000

SYN-bit gravatar image

Hi There

Im trying to reduce large cap files for detailed analysis in tshark in this case want to filter out all http requests or responses so using -r in.file -Y "http.request or http.response" -w out.file

before filter ing the packets out I was counting in the raw file the number of http.requests - assuming that same number will appear in the filtered output files but the number in the new out.file is only 60% compared to the in.file - so this seems not reliable process I thought my -Y filter with "OR" may be a problem and tried a single condition (http.request) but same result any hints what I did wrong ? thanks in advance

===

Merged in from your other question:

hi there im using tshark to filter out http response packets I find 2 option using as filter - http.response - and http.response.code I assume that where a http.response code is - this will be a http.response too surprised finding that number of packets with filter "http.response.code" are usually 25% more than with just "http.response" as filter Im using z io,stat for counting the hits and repeated tests several time always same result using shark 2.6.3 would be glad for any hint

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-24 21:54:19 +0000

SYN-bit gravatar image

Wireshark, by default, reassembles PDUs of higher layer protocols like HTTP. In case of http requests and responses, many of them are sent in multiple packets as they do not fit in one packet. When saving the packets after filtering with tshark, only the packets with the last part of the HTTP request or response gets saved to the file. When you reread that file, Wireshark does not recognize the request or response as it is missing the first part.

One way to solve this is to make tshark save the missing pieces by using two-pass filtering. You can do this with:

tshark -2 -r in.file -w out.file -Y "http.request or http.response"

But since all the packets that make up the request or the response are now saved, you will still have large files. If you are only interested in the first packet of the requests and responses, you can disable reassembly. In this case you also need to disable reassembly when re-reading the new file or otherwise tshark/wireshark will try to do reassembly and fail and so it will not show the packets as http. The workflow would be:

tshark -o tcp.desegment_tcp_streams:FALSE -r in.file -w out.file -Y "http.request or http.response"
tshark -o tcp.desegment_tcp_streams:FALSE -r out.file

Or when reading the new file in Wireshark, make sure you disable reassembly in the TCP protocol preferences.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-24 16:32:26 +0000

Seen: 608 times

Last updated: Sep 24 '19