while using tshark on windows with following command for -e http.next_request_in, I see empty string. while using the GUI I see the next request.
Command: "tshark -r example.pcapng -Y http -T fields -e http.next_request_in".
(example capture is sctp-www.cap from the Wireshark Wiki Sample Captures)
By default, tshark (man page) makes a single pass through the capture so it can see the current packet and into the past.
$ tshark -r ./sctp-www.cap -Y http -T fields -e frame.number -e http.request_in 5 7 5 16 21 22 21 27 29 27 50 65 68
Output can be limited to only frames that contain the fields we're interest in:
$ tshark -r ./sctp-www.cap -Y http.request_in -T fields -e frame.number -e http.request_in 7 5 22 21 29 27
To look into the future, tshark needs to make two passes through the capture file:
-2 Perform a two-pass analysis. This causes tshark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, such as 'response in frame #' fields. Also permits reassembly frame dependencies to be calculated correctly.
Single pass
$ tshark -r ./sctp-www.cap -Y http.next_request_in -T fields -e frame.number -e http.next_request_in $
Add -2 option for two-pass processing
$ tshark -2 -r ./sctp-www.cap -Y http.next_request_in -T fields -e frame.number -e http.next_request_in 5 21 7 21
Asked: 2021-09-20 22:14:13 +0000
Seen: 240 times
Last updated: Sep 21 '21
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
