tshark could not decode HTTP response packet while wireshark can

Question

When using display filter -Y "http" in tshark, I can only see HTTP request packet is recognized. But I can see more packets are decoded as HTTP, including HTTP response. Any idea why?Output from tshark with display filter

[email protected]:~$ tshark  -2 -r  saegw_1501_sgi_tencent_10.146.76.166_52393 -Y "http"  4 0.054650003 10.146.76.166 -> 120.198.235.230 HTTP 529 GET /ugcyd.qq.com/flv/127/231/v0502uq4ahg.mp4?vkey=75DF20654722E963E5C21D63B5C1C853B033B9EB61D12A1447B279A0178D8AA5031D835EE305A7BF27EC922208D6E67D428D28C8659784399C3E3BC4A839491A274672412A3E710DCA3B7D431B9AA60F0BC13BDB24E06216&sha=&level=3&br=200&fmt=mp4&sdtfrom=v3040&platform=30403&fohost=ugcyd.qq.com HTTP/1.1

output from tshark without display filter

[email protected]:~$ tshark  -2 -r  saegw_1501_sgi_tencent_10.146.76.166_52393   1 0.000000000 10.146.76.166 -> 120.198.235.230 TCP 82 52393 > http [SYN] Seq=0 Win=37500 Len=0 MSS=1400 WS=8 TSval=856798291 TSecr=0 SACK_PERM=1
2 0.004892857 120.198.235.230 -> 10.146.76.166 TCP 70 http > 52393 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=1024
3 0.036579926 10.146.76.166 -> 120.198.235.230 TCP 64 52393 > http [ACK] Seq=1 Ack=1 Win=300000 Len=0
4 0.054650003 10.146.76.166 -> 120.198.235.230 HTTP 529 GET /ugcyd.qq.com/flv/127/231/v0502uq4ahg.mp4?vkey=75DF20654722E963E5C21D63B5C1C853B033B9EB61D12A1447B279A0178D8AA5031D835EE305A7BF27EC922208D6E67D428D28C8659784399C3E3BC4A839491A274672412A3E710DCA3B7D431B9AA60F0BC13BDB24E06216&sha=&level=3&br=200&fmt=mp4&sdtfrom=v3040&platform=30403&fohost=ugcyd.qq.com HTTP/1.1
5 0.059337563 120.198.235.230 -> 10.146.76.166 TCP 64 http > 52393 [ACK] Seq=1 Ack=472 Win=16384 Len=0  
6 0.080402874 10.146.76.166 -> 120.198.235.230 TCP 64 52393 > http [RST, ACK] Seq=472 Ack=1 Win=30800 Len=0
7 0.084795120 120.198.235.230 -> 10.146.76.166 TCP 389 [TCP segment of a reassembled PDU]
8 0.084819791 120.198.235.230 -> 10.146.76.166 TCP 1458 [TCP segment of a reassembled PDU]
9 0.084841385 120.198.235.230 -> 10.146.76.166 TCP 4258 [TCP segment of a reassembled PDU]
10 0.084864582 120.198.235.230 -> 10.146.76.166 TCP 5658 [TCP segment of a reassembled PDU]
11 0.084900198 120.198.235.230 -> 10.146.76.166 TCP 1458 [TCP segment of a reassembled PDU]
12 0.084927495 120.198.235.230 -> 10.146.76.166 TCP 7058 [TCP segment of a reassembled PDU]
13 0.084950495 120.198.235.230 -> 10.146.76.166 TCP 1458 [TCP segment of a reassembled PDU]
14 0.089734953 10.146.76.166 -> 120.198.235.230 TCP 64 52393 > http [RST] Seq=472 Win=0 Len=0

Accepted Answer

It turns out I made a silly mistake. I disable "allow subdissector to reassemble TCP streams" on Windows, but I forgot the do the same thing on Linux host.

Btw, wireshark preference file locates at ~/.config/wireshark

If you are not able to find the preference file, you can use tshark -o top.desegment_tcp_stream to disable it

Answer 2

0

The display filter -Y http will limit output to those packets that are dissected as HTTP. As you can see from the second output, only one packet, the "GET" request has been dissected as HTTP.

All the other packets have been dissected as TCP as they either don't contain any HTTP data, or are fragments of an HTTP message and only the final packet that completes the HTTP response will be dissected as HTTP and show up with an HTTP display filter.

answered 05 Jun '17, 02:24

grahamb ♦
19.8k●3●30●206
accept rate: 22%

Thanks for the feedback. My concern is wireshark GUI can recognize those TCP segments as HTTP, but tshark CLI could not.

How can I get the filtered output like GUI in tshark?

(05 Jun '17, 04:48) tong1125

Try adding -2 to the tshark command line.

(05 Jun '17, 05:20) grahamb ♦

-2 is already included, it doesnt work.

(05 Jun '17, 23:33) tong1125

Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DopBox etc?

(06 Jun '17, 02:27) grahamb ♦

Here comes the pcap, thanks

https://drive.google.com/file/d/0B3Lqaled8eVCZlg1cXNYOU1FeGc/view?usp=sharing

(06 Jun '17, 19:32) tong1125

What version of Wireshark and tshark are you using?

(07 Jun '17, 04:04) grahamb ♦

Tshark version is alt text

And wireshark GUI version is alt text

(09 Jun '17, 01:19) tong1125

Upgrade the wireshark to 2.2.6 on Windows, it is still working.maybe only Linux has problem?

(09 Jun '17, 05:16) tong1125

So tshark on Windows works for you?

(09 Jun '17, 06:12) grahamb ♦

showing 5 of 9 show 4 more comments

Answer 3

Are you possibly forgetting to input the profile in tshark? If your using a specific profile in the GUI where you have the TCP settings to allow you to see HTTP, make sure to specify that same profile in tshark, else it will use the default like below.

tshark -r test.pcap -Y http.response -Tfields -e frame.number -e http.response.code -e http.time -C tcp-tshoot

C:\ tshark -r 90_streams.pcap -Y http.response -Tfields -e frame.number -e http.response.code -e http.time -C tcp-tshoot 5 200 0.025068000 49 200 0.022251000 55 200 0.194137000 75 200 0.243763000 103 200 0.250902000 132 200 0.029903000 142 200 0.039818000