Export selected http works strange - got another tcp packets

export
http

asked 2021-09-24 09:21:25 +0000

I tried to select only needed http packets (request-responce packets), exported to pcapng file with marked "Selected packets" chekbox. And then new file contains only another tcp packages, maybe related to this TCP flow, but no my selected http package. Why? Looks like problem with partial tcp flow, then why wireshark don't "calculate" it on exporting?

P.s. - sorry if it's duplicate

edit retag flag offensive close merge delete

add a comment

3 Answers

Sort by » oldest newest most voted

answered 2021-09-26 10:53:23 +0000

SYN-bit

18344 ●9 ●301 ●255 https://SYN-b.it

updated 2021-09-26 11:02:21 +0000

If you take HTTP.cap as an example, then filter on http, you will see the http request in frame 4 and the http response in frame 36. If you look more closely, the response in frame 36 consists of 16 reassembled TCP segments:

[16 Reassembled TCP Segments (22045 bytes): #6(1448), #8(1448), #10(1448), #12(1448), #14(1448), #16(1448), #18(1448), #20(1448), #22(1448), #24(1448), #26(1448), #28(1448), #30(1448), #32(1448), #34(1448), #36(325)]

This is because the file logo.png is 21684 bytes in size and this will not fit in one TCP segment. Wireshark reassembles all the TCP segments in order to show the full HTTP object.

When you call Export specified packets..., Wireshark will make sure that all packets that were necessary to show these two packets will be saved in the new file. That's why you see not 2, but 17 in the "Displayed" column before saving to disk.

The menu options to use "All packets", "Selected Packets only", "Marked packets only", "First to last marked" and "Range:" are provided to restrict the output in one way or the other. So when you have packet 4 and 36 selected and then use "Selected packets only", it will do exactly that, it will save only packet 4 and 36 out of the 17 packets needed to reconstruct the http request and response. As packet 36 is only the last part of the repsonse, Wireshark will not recognize it as HTTP in the new capture file, as it is missing the http response header and most part of the http response body.

So if you need to save one http request response pair from a large pcap, you could do the following. First filter on http and find the request response pair that you want to save into a new file, then use the filter frame.number in {...} to only show the request/response you need (in this case frame.number in {4 36}). And then in "Export selected packets", keep the setting on "All packets" and "Displayed" to make sure the other TCP segments are also saved in the new file.

edit flag offensive delete link

Comments

Combining @Chuckc's method and my method:

select the http request you would like to export combined with its response and then use the filter frame.number in {${frame.number} ${http.response_in}} to get only this specific request/response pair, the use Export selected packets... and leave the settings at default.

SYN-bit ( 2021-09-26 11:08:06 +0000 )edit

Wireshark will make sure

As I wroted, it wasn't. It shows 2 selected packets, and exported only few fragments, so why in exported file there no way to see http requst, only tcp fragments. Looks like I should try Chuckc's answer

andnovator ( 2021-09-26 11:24:25 +0000 )edit

frame.number in {...}

I know, but it's only for one http flow (with GUI), as I did in the past. But I wanted to exporte 2 separated http flows. Still, as Chuckc mentonied, I can wrote this filter manual to include 2 http flow. Sad that there no way to do it with gui (do I wrong?)

andnovator ( 2021-09-26 11:27:13 +0000 )edit

keep the setting on "All packets" and "Displayed"

Yup, looks like a way...

As I wroted, it wasn't

I made mistake, btw, sorry

use "Selected packets only", it will do exactly that, it will save only packet 4 and 36 out of the 17 packets needed to reconstruct the http request and response

I missed it in the first read =} Yes, it's my problem, I understand why it should be, still I wanted some "automated" way to export fragmented http request, without manual writing filters and then exporting with "Displayed". Anyway, thx

andnovator ( 2021-09-26 11:31:21 +0000 )edit

You can create a filter button for the frame.number in {${frame.number} ${http.response_in}} filter (click on the + next to the filter bar), then afterwards saving one http request/response pair takes even 1 less click then the packet selection route :-)

SYN-bit ( 2021-09-26 11:50:32 +0000 )edit

see more comments

answered 2021-09-24 13:21:51 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

It's likely that the HTTP messages are fragmented over multiple TCP segments so those are required in the export.

edit flag offensive delete link

Comments

I understand this. But how to select needed without 'garbadge' tcp packets? I saw packets "flow" indication left before packets info, but there are many tcp packets between needed, so if I select all, then I got unnessasary packets. Also - can wireshark ("in the future"?) with some settings do it by itself - add needed tcp packets?

andnovator ( 2021-09-24 13:27:47 +0000 )edit

They're not "garbage", they contain the fragments of the HTTP content for the complete HTTP message.

grahamb ( 2021-09-24 13:59:37 +0000 )edit

I talked about fragmented tcp package from another http requests + tcp packets not from http. That I don't want in file (if I open tcp fragmented packets for MY requests - I see fragmented http text)

andnovator ( 2021-09-25 17:30:15 +0000 )edit

Can you share the capture file (at a public file share, e.g. Google Drive, DropBox etc.) and point to the HTTP request with the problem?

grahamb ( 2021-09-25 19:10:29 +0000 )edit

add a comment

answered 2021-09-24 18:07:57 +0000

Chuckc
2818 ●5 ●567 ●19

Select the "Request" packet (contains the value http.response_in and apply display filter:

frame.number in {${frame.number} ${http.response_in}} or tcp.reassembled_in in {${frame.number} ${http.response_in}}

edit flag offensive delete link

Comments

Nice filter Chuck, I like your usage of ${} macros inside of the set filter.

SYN-bit ( 2021-09-26 11:04:57 +0000 )edit

Ogh, thx. For some reason, I didn't think to combine multiple "frame.number in" filters

andnovator ( 2021-09-26 11:42:01 +0000 )edit

@Chuckc, @SYN-bit, my and Chuckc's messages still not shown (looking like it was "removed") . @Chuckc, is your request about creaing by me gitlab enhancement request still actual? Btw, thx for a good example with macros, good for for creating "fast" button as syn-bit sayed

andnovator ( 2021-09-26 17:37:02 +0000 )edit

@andnovator up to you. If you have a process that works for you now, then no need for ER. If you think Follow->HTTP Stream should do the work to build the filter, open an ER.
An example I like is the Prepare Filter on the VoIP Calls window. The resulting filter looks like:

frame.number in {4 6 8 10 15 17 19 20 22 24 26 28 29 31 32 40 34} or rtp.setup-frame in {4 6 8 10 15 17 19 20 22 24 26 28 29 31 32 40 34}

Seems that selecting a http packet and doing Follow->HTTP Stream should be able to give a similar result for the display. I'm not sure how often users care about a display filter that is only the HTTP packets in the stream.

Chuckc ( 2021-09-26 18:21:06 +0000 )edit

Maybe we need simple wikia page about exporting fragmented packages such a fragmnted http flow...

andnovator ( 2021-09-26 18:26:02 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Export selected http works strange - got another tcp packets

3 Answers

Comments

Comments

Comments

Your Answer

Question Tools

Stats

Related questions

Export selected http works strange - got another tcp packets edit

3 Answers

Comments

Comments

Comments

Your Answer

Question Tools

Stats

Related questions

Export selected http works strange - got another tcp packets