Follow stream as Hex Dump error [Stream output truncated]

asked 2023-01-06 19:26:47 +0000

larrym996 gravatar image

I have a capture that is about 60 meg, and I use a display filter of lpd. I would like to Follow Stream>Show Data as "Hex Dump". But I get [Stream output truncated] so I cannot view the end of the stream.

Is there any way to work around this, such as command line options? Thanks

edit retag flag offensive close merge delete

Comments

What version of Wireshark? (Update the question with output of wireshark -v or Help->About Wireshark:Wireshark)

The max stream was bumped from 2MB to 500MB in commit Qt: Follow stream performance improvements.

Chuckc gravatar imageChuckc ( 2023-01-06 21:28:16 +0000 )edit

I've been trying to edit my question for several days but none of the changes are getting applied, bad karma ?? :) So I'll add additional info as an answer. I'm using Wireshark v4.0.2 on a Windows 32 gig memory system. The follow tcp stream dialog window, show data as hex dump, has a value of 9,731 client pkts in the bottom left. But the list box doesn't display all values, it ends with "[Stream output truncated]"

My goal is to count the bytes in the lpd stream going to the printer. Is there a better way to do this than hex dump?

I tried lpd display filter>Statistics>Conversations>Bytes B->A but the 205.302 MiB doesn't seem to match what I'm expecting.

On a smaller lpd stream I calculated:

Final byte count = 0x00469094 + 16 = 4,624,548

Start of job byte count = -0x4C (-76 ...(more)

larrym996 gravatar imagelarrym996 ( 2023-01-08 15:28:45 +0000 )edit

(Cloudflare sits in front of this site - I had some issues when adding the comment on the question.)

There is a mix of ldp and lpd above - just want to confirm the question is about lpd.

What numbers do you get when setting a display filter of lpd then opening Statistics->Protocol Hierarchy and looking at the Line Printer Daemon Protocol.

Chuckc gravatar imageChuckc ( 2023-01-08 16:57:33 +0000 )edit

All about lpd protocol.

Statistics->Protocol Hierarchy

"Protocol","Percent Packets","Packets","Percent Bytes","Bytes","Bits/s","End Packets","End Bytes","End Bits/s","PDUs"

"Frame",100,428,100,4647690,27719662.25015606,0,0,0,428
"Ethernet",100,428,0.12946216292394716,6017,35886.47430426492,0,0,0,428
"Internet Protocol Version 4",100,428,0.18417751614242775,8560,51053.38541540763,0,0,0,428
"Transmission Control Protocol",100,428,99.68636032093363,4633113,27632722.39043639,0,0,0,428
"Line Printer Daemon 
Protocol",100,428,99.5021828047912,**4624553**,27581669.00502098,428,4624553,27581669.00502098,428
larrym996 gravatar imagelarrym996 ( 2023-01-08 21:43:50 +0000 )edit

4624553 seems pretty close to 4,624,548.
Are the numbers similar for the larger print job?

Chuckc gravatar imageChuckc ( 2023-01-08 22:02:04 +0000 )edit
add a comment