Pyshark and Wireshark show different views of HTTP2 layer

asked 2021-05-08 16:13:13 +0000

Brad gravatar image

I'm trying to programmably export jpegs using Pyshark. My problem is that I cannot identify the final http2 packet containing the jpeg in Pyshark, even though I can see that it is there in Wireshark.

Wireshark view: link text

Pyshark view:

Wireshark shows an HTTP2 section with two streamids, 51 and 55. The jpeg is where I expect it to be under streamid 55.

Pyshark only shows one streamid, 51. I can poke around and find that the jpeg from streamid 55 is in this layer, but programatically, I have no way of knowing that it is there, since there is nothing to indicate that this layer contains data from streamid 55. As you can see, the End of Stream flag is not set in Pyshark either.

How does Wireshark create the correct view of the stream, while Pyshark does not? Is this to be expected or is a bug? Can anyone think of a way for me to deal with this?


edit retag flag offensive close merge delete


pyshark is a wrapper for tshark.
Have you verified that tshark and wireshark are the same version?
Can you recreate the issue in tshark? (easier to diagnose without the Python layer)

Chuckc gravatar imageChuckc ( 2021-05-08 16:36:26 +0000 )edit

Perhaps you need to run tshark with the two pass parameter.

Anders gravatar imageAnders ( 2021-05-08 21:04:51 +0000 )edit