Different dissect results for tshark and Wireshark

edit

Hi, everyone. I'm analyzing the same .pcapng file containing HTTP/2 packets with TShark and Wireshark. I've provided the SSL keylog file to Wireshark and the display filter applied is tcp.stream eq 9 and http2. Wireshark displays around 600 HTTP/2 packets.

However, when I use TShark to analyze the same packet with following command:

tshark -r .\pan.baidu.com_10.pcapng -o tls.desegment_ssl_records:TRUE -o tls.desegment_ssl_application_data:TRUE -o tls.keylog_file:keylog.txt -Y "tcp.stream eq 9 and http2" > tmp.txt

The result show only 80 HTTP/2 packets. And the dissection jumps from Frame 1333 to 5037, and many frames seem to be ignored (In Wireshark, there are many HTTP/2 frames between Frame 1333 and Frame 7813).

1333 2.019137925 192.168.5.5 → 27.221.82.38 HTTP2 675 HEADERS[49]: GET /m-static/wp-brand/img/data_security.55b7de30.png, WINDOW_UPDATE[49] 5037 2.691110037 192.168.5.5 → 27.221.82.38 HTTP2 89 WINDOW_UPDATE[0] 7813 3.160037061 27.221.82.38 → 192.168.5.5 HTTP2 1466 Unknown type (48)[1496307833], Continuation Data 9492 3.436270868 192.168.5.5 → 27.221.82.38 HTTP2 89 WINDOW_UPDATE[0]

I've searched a lot, and find here that it might need to enable two-pass scan to get a more exact results. However, when I pass -2 option to TShark, the results are still the same, which confuses me a lot.

Moreover, when I only use the display filter tcp.stream eq 9, the number of packets displayed by Wireshark and TShark are the same.

I've tried the TShark on different versions on both Linux and Windows, they lead to the same (incorrect) results. The .pcapng along with the keylog files are provided though the links. Any help or suggestion is appreciated!:)

Wireshark Version: Version 4.4.3 (v4.4.3-0-g66d7a52feb06). Windows TShark Version: TShark (Wireshark) 4.4.3 (v4.4.3-0-g66d7a52feb06). Ubuntu TShark Version: TShark (Wireshark) 4.4.2.