tshark http.file_data does not work

asked 2018-07-13 07:52:33 +0000

Hello, I wanna get a size of image transactions from my pcap data. When I see the pcap file using wireshark, I can see that there is a JPEF image soundly. However, when I use tshark, http.file_data turns out some trash value --> ���� The command was:

tshark -nr ./pcap -o ssl.keylog_file:./key -Y 'frame.number==287' -T fields -e http.file_data

How can I get the right image data using tshark? Thanks for any info you can provide.

I doubt the whole image is contained in just one frame (287)

I doubt the whole image is contained in just one frame (287)