Different results using tshark on http2
I have a problem getting tshark to decode packets as http2. The traffic I am analysing contains http2 on several differemt ports, 5070,5080,7070 and 8080. I'm decoding using: tshark -T json -x -n -r test.pcap -d tcp.port==7070,http2 -d tcp.port==5070,http2 -d tcp.port==5080,http2 -d tcp.port==8080,http2 > output.json
If I try to decode all captured packets, tshark will not decode all packets as http2, some will only be tcp. However, if I select some none decoded packets and save them in a new pcap-file and then run tshark on that file, tshark successfully decodes them into http2.
Why and is there a way to force tshark to decode all packets on e.g. port 7070 as http2, irrelevant of the overall packet flow?
Do you get better results setting the preference for
http2port?(Extra port 34727 added for my test file)
C:\>tshark.exe -T json -x -n -r proto_data.pcap -o http2.tcp.port:5070,5080,7070,8080,34727 > 240313_output.jsonI get the exact same result using the preference syntax: -rw-r--r-- 1 jannegpriv staff 77457223 Mar 13 14:33 240313_output.json -rw-r--r-- 1 jannegpriv staff 77457223 Mar 13 14:34 240313_output2.json
I found a way around this problem, following a tcp stream I could see that Wireshark thought the non decoded tcp packets were retransmissions, after disabling the analyse of sequence numbers it now works: tshark -T json -x -n -r test1.pcap -o tcp.analyze_sequence_numbers:FALSE -d tcp.port==7070,http2 -d tcp.port==5070,http2 -d tcp.port==5080,http2 -d tcp.port==8080,http2 > test1.json
We're not consistent in what a "range" is (e.g. https://www.wireshark.org/docs/wsug_h...) but it would be nice if the
-doption supported a non-contiguous range (comma separated list) of ports.The multiple "-d tcp.port ..." works but is messy. :-)