Ask Your Question

the_paul's profile - activity

overview network karma followed questions activity
2023-11-13 18:35:15 +0000 received badge  Popular Question (source)
2022-08-21 12:16:31 +0000 commented answer tshark http.response_in not working

i was only aware of the -R parameter. Fast and educational, the perfect answer. thank you very much!

2022-08-21 12:15:37 +0000 answered a question tshark http.response_in not working

i was only aware of the -R parameter. Fast and educational, the perfect answer. thank you very much!

2022-08-21 12:15:37 +0000 received badge  Rapid Responder (source)
2022-08-21 12:09:12 +0000 marked best answer tshark http.response_in not working

I have a capture file with a HTTP 1.1 request in frame 536 and the HTTP 200 response in frame 856. Frame 856 is reassembled.
In wireshark 3.6.7 I can filter those two packets by: 

http.request_in in{536,856}||http.response_in in{536,856}

or by

http.request_in == 536 || http.response_in == 856

It works fine and i see both packets.

But when I use tshark I only see the response frame 856.

tshark -r tmp.pcap -Y "http.request_in in{536,856} || http.response_in in{536,856}"
tshark -r tmp.pcap -Y "http.request_in == 536 || http.response_in == 856"

when I run:

tshark -r tmp.pcap -Y "http.response_in == 856"

then no frame is shown. Wireshark shows with the same filter the frame 536.

The filter:

"frame.number == 536 || frame.number == 856"

works the same in tshark and wireshark. What am I missing?
2022-08-21 12:09:12 +0000 received badge  Scholar (source)
2022-08-21 04:56:54 +0000 asked a question tshark http.response_in not working

tshark http.response_in not working I have a capture file with a HTTP 1.1 request in frame 536 and the HTTP 200 response