Ask Your Question
0

Option to control default follow stream view?

asked 2021-06-30 20:56:15 +0000

blincoln gravatar image

Is there an option to set the follow stream view to something other than ASCII by default?

I'm looking at a packet capture of traffic that involves sending multi-MB XML blobs, and the blobs have no newline characters in them. Even on a recent laptop, WireShark is very slow to parse the stream when viewed in ASCII mode, on the order of 4 packets per second. I assume this is because of inefficiencies in soft-word-wrapping code either in WireShark itself or the OS. The total amount of traffic is something like 65MB, so even after a few hours, WireShark wasn't done following the stream. It runs at a reasonable speed in Hex Dump mode, but until I figured out the workaround below, I didn't think I could use that because the "Show data as" dropdown is greyed out until the stream has been parsed.

This is the workaround I'm using in the meantime: follow a different, shorter stream first. Wait for it to finish parsing. Switch to Hex Dump view. Change the Stream ID in the stream viewer to the ID of the problematic stream.

edit retag flag offensive close merge delete

Comments

On another note, would tshark -r <infile> -z "follow,tcp,ascii,#"(whare # is the flow number) be something useful for you?

Jaap gravatar imageJaap ( 2021-07-01 05:54:55 +0000 )edit

I think the OP is looking for hex mode, so tshark -r <infile> -z "follow,tcp,hex,#"

grahamb gravatar imagegrahamb ( 2021-07-01 07:58:46 +0000 )edit

Those are both very helpful as well. Thank you :).

blincoln gravatar imageblincoln ( 2021-07-05 17:31:16 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-07-01 16:27:26 +0000

Chuckc gravatar image

Currently it is hard coded in follow_stream_dialog.cpp to start in ASCII view.

FollowStreamDialog::FollowStreamDialog(QWidget &parent, CaptureFile &cf, follow_type_t type) :
    WiresharkDialog(parent, cf),
    ui(new Ui::FollowStreamDialog),
    b_find_(NULL),
    follow_type_(type),
    follower_(NULL),
    show_type_(SHOW_ASCII),   <-********
    truncated_(false),


If extracting with tshark doesn't work out, you could open an enhancement request to configure
the Show data as value as a Wireshark preference and/or recent.

edit flag offensive delete link more

Comments

Thank you :).

blincoln gravatar imageblincoln ( 2021-07-05 17:30:35 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-06-30 20:56:15 +0000

Seen: 73 times

Last updated: Jul 01