This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

display the first data packet of a HTTP request as HTTP instead of the last data packet of the request

0

I just installed ubuntu 14.04 and immediately installed tshark on it (ver TShark 1.10.6 (v1.10.6 from master-1.10).

The problem is, tshark doesn't display the packet as HTTP request (packet 4). This works fine on another PC I have. Here is link to the pcap file. I know HTTP request span over multiple data packets, wonder if there is a way to make tshark display the first such data as the HTTP request (instead of the last such data packet)?

$ tshark -nr pcaps/httpUpload.pcap | more
  1   0.000000    127.0.0.1 -> 127.0.0.1    TCP 74 43098 > 80 [SYN] Seq=0 Win=3
2792 Len=0 MSS=16396 SACK_PERM=1 TSval=234865924 TSecr=0 WS=128
  2   0.000042    127.0.0.1 -> 127.0.0.1    TCP 74 80 > 43098 [SYN, ACK] Seq=0 
Ack=1 Win=32768 Len=0 MSS=16396 SACK_PERM=1 TSval=234865924 TSecr=234865924 WS=
128
  3   0.000067    127.0.0.1 -> 127.0.0.1    TCP 66 43098 > 80 [ACK] Seq=1 Ack=1
 Win=32896 Len=0 TSval=234865924 TSecr=234865924
  4   0.000882    127.0.0.1 -> 127.0.0.1    TCP 668 [TCP segment of a reassembl
ed PDU]
  5   0.000952    127.0.0.1 -> 127.0.0.1    TCP 66 80 > 43098 [ACK] Seq=1 Ack=6
03 Win=32768 Len=0 TSval=234865924 TSecr=234865924
  6   0.001189    127.0.0.1 -> 127.0.0.1    TCP 16450 [TCP segment of a reassem
bled PDU]

asked 21 Jul '15, 09:10

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

2 Answers:

3

Most likely, the other PC has the TCP preference to "Allow subdissector to reassemble TCP streams" turned off while your Ubuntu 14.04 PC's Wireshark has it turned on.

You can turn it off permanently in Wireshark via: Edit -> Preferences -> Protocols -> TCP -> Allow subdissector to reassemble TCP streams -> [deselect], or you can turn it off on the tshark command-line as follows:

tshark -o tcp.desegment_tcp_streams:FALSE -nr pcaps/httpUpload.pcap

All Wireshark (and tshark) preferences are located in your preferences file, which can be located from Wireshark via: Help -> About Wireshark -> Folders -> Personal configuration. See also the "Files" section at the bottom of the tshark man page for more information.

answered 21 Jul '15, 09:33

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks Chris for the reply. I installed tshark on the server (not wireshark). Wonder if there is a way to turn off reassemble TCP streams on command line?

(22 Jul '15, 14:38) pktUser1001

Yes, I gave it above. Use -o tcp.desegment_tcp_streams:FALSE.

(22 Jul '15, 15:27) cmaynard ♦♦

Thanks Chris again. It works. Sorry didn't notice the tshark command you put there.

(22 Jul '15, 20:33) pktUser1001

0

As Chris Maynard says, the only way to do this currently is to turn off TCP reassembly.

It might be possible to enhance Wireshark and TShark to have an option to show the reassembly on the first packet, although such an option will only work in TShark, as opposed to Wireshark, if you use the -2 option - it would be impossible to make it work without that option, as you have to see all the packets in order to do the reassembly.

answered 21 Jul '15, 16:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks Guy. I like your suggestion. I would be happy if I know what configure file to edit manually since I don't have a wireshark installation right now (target host is a server).

(22 Jul '15, 14:39) pktUser1001

If, as, and when we ever implement that enhancement, we'll document the name of the preference that would control that.

If you just mean "the option to turn off TCP reassembly", it's "tcp.desegment_tcp_streams", and you turn it off with the Wireshark/TShark command-line option -o tcp.desegment_tcp_streams:false.

(22 Jul '15, 15:05) Guy Harris ♦♦

Thanks again. I didn't notice the tshark command Chris put there. Now it's working well for me.

(22 Jul '15, 20:34) pktUser1001