Ask Your Question
0

tshark http.response_in not working

asked 2022-08-20 20:54:25 +0000

the_paul gravatar image

I have a capture file with a HTTP 1.1 request in frame 536 and the HTTP 200 response in frame 856. Frame 856 is reassembled.
In wireshark 3.6.7 I can filter those two packets by: 

http.request_in in{536,856}||http.response_in in{536,856}

or by

http.request_in == 536 || http.response_in == 856

It works fine and i see both packets.

But when I use tshark I only see the response frame 856.

tshark -r tmp.pcap -Y "http.request_in in{536,856} || http.response_in in{536,856}"
tshark -r tmp.pcap -Y "http.request_in == 536 || http.response_in == 856"

when I run:

tshark -r tmp.pcap -Y "http.response_in == 856"

then no frame is shown. Wireshark shows with the same filter the frame 536.

The filter:

"frame.number == 536 || frame.number == 856"

works the same in tshark and wireshark. What am I missing?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-08-21 10:32:06 +0000

Chuckc gravatar image

updated 2022-08-21 10:34:52 +0000

From the Wireshark Developer's Guide:

Wireshark dissects packets in what it calls 'two-pass' dissection.
...
Wireshark later performs 'second pass' ad-hoc dissections on the packets that it needs data from. This enables Wireshark to fill in fields that require future knowledge, like the 'response in frame #' fields, and correctly calculate reassembly frame dependencies.

tshark does a single pass unless told to make a second pass with the -2 option:

-2
Perform a two-pass analysis. This causes TShark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, such as 'response in frame #' fields. Also permits reassembly frame dependencies to be calculated correctly.

>tshark -r http.cap -T fields -e frame.number -e http.request_in -e http.response_in -Y http
4
18
27      18
38      4

>tshark -r http.cap -2 -T fields -e frame.number -e http.request_in -e http.response_in -Y http
4               38
18              27
27      18
38      4
edit flag offensive delete link more

Comments

i was only aware of the -R parameter. Fast and educational, the perfect answer. thank you very much!

the_paul gravatar imagethe_paul ( 2022-08-21 12:16:31 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2022-08-20 20:54:25 +0000

Seen: 333 times

Last updated: Aug 21 '22

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark