Ask Your Question
0

Only show reassembled packets instead of frames

asked 2018-05-16 11:17:17 +0000

pavja2 gravatar image

I'm working with some MPEG-TS DCM-CC (MPE) captures which wireshark is capable of reading with the mp2t dissector. However, Wireshark displays these files as a collection of 188 byte frames. For many frames, it's possible to click a tab that says "Reassembled MP2T" and see the entire logical packet but doing this for each one is tedious. Is there a way to extract just the reassembled packets/conversations from the capture?

This also happens for tcp/udp packets inside the MP2T stream so a way to extract just reassembled TCP packets would be super helpful as well.

edit retag flag offensive close merge delete

Comments

It might be possible with "Exported PDU"

Anders gravatar imageAnders ( 2018-05-16 11:23:43 +0000 )edit

Thanks for the lead! Unfortunately no luck - none of the selectable layers (not sure if that's the right term) result in any packets being extracted.

pavja2 gravatar imagepavja2 ( 2018-05-16 11:47:23 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-05-16 18:55:28 +0000

Guy Harris gravatar image

Is there a way to extract just the reassembled packets/conversations from the capture?

If what you really want is, for example, to have the packet summary that shows only reassembled packets at some protocol layer, rather than showing frames at the bottommost layer, there isn't any such mechanism, but it might be useful, and not just for MP2T - somebody might, for example, want to see NFS or SMB requests and replies, but not see all the individual IP fragments or TCP segments that go into multiple-frame requests or replies (and, for NFS-over-TCP and SMB, might want to see multiple summary lines if a TCP segment contains data from more than one NFS or SMB request or reply).

If that's what you'd like, you should request it as a feature on the Wireshark Bugzilla. (I know a feature like that has been discussed, but I didn't find it in any obvious place on the Wireshark Bugzilla.)

edit flag offensive delete link more

Comments

I think that is what I want - just to show the higher layers of a protocol without having to think of everything in terms of frames. I'll make a feature request for it!

pavja2 gravatar imagepavja2 ( 2018-05-21 15:52:07 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-05-16 11:17:17 +0000

Seen: 4,148 times

Last updated: May 16 '18

Related questions

how to extract whole xml structure from soap envelope using tshark?

How do I extract the individual flows from the total packets in a pcap file?

How do I create a Capture filter to exclude MPEG TS (mp2t)?

Lua dissector memory-efficient packet reassembly

What happened to reassemble_tcp?

What cause UDP Multicast Stream Statistics to double count streams

RTP protocol reassemble split frames

How to parse the tcp data with fragments in lua

Certficate [TCP segment of a ressembled PDU] -- WHY/WHAT causes it?

Reassemble rtp payload to IP frames