tshark http.file_data does not work

asked 2018-07-13 07:52:33 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hello, I wanna get a size of image transactions from my pcap data. When I see the pcap file using wireshark, I can see that there is a JPEF image soundly. However, when I use tshark, http.file_data turns out some trash value --> ���� The command was:

tshark -nr ./pcap -o ssl.keylog_file:./key -Y 'frame.number==287' -T fields -e http.file_data

How can I get the right image data using tshark? Thanks for any info you can provide.

edit retag flag offensive close merge delete


I doubt the whole image is contained in just one frame (287)

Jaap gravatar imageJaap ( 2018-07-13 09:42:23 +0000 )edit