This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

A string is found in the tcp segment data window but not in the tcp stream

0
1

Hi, I am searching for a specific xml data string and the pointer finds the specific packet number. Then I right click "follow tcp stream" and don't find it (I am not talking about while it is written in "white"). Then I look at tcp data segment window below, and find it! My question is why parts of the xml are written in the follow tcp stream window and some are not (and are only available at the tcp data segment window)? BR, Yuval Sivan.

asked 30 May '11, 03:13

yuvalsivan's gravatar image

yuvalsivan
1121
accept rate: 0%


2 Answers:

1

Could it be that the XML object was compressed when it was sent over HTTP? The HTTP dissector is able to decompress the object, while "Follow TCP Stream" does just that, it shows you the raw data sent over TCP.

answered 01 Jun '11, 23:23

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

Sadly, wireshark's capabilities are quite limited when working with tcp streams, especially those that are compressed. You can decompress the stream using tcpflow, however.

answered 01 May '13, 11:25

bhh's gravatar image

bhh
1
accept rate: 0%