Wireshark-bugs: [Wireshark-bugs] [Bug 2234] Filtering tshark captures with display filters (-R)
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 28 Oct 2009 00:00:18 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234





--- Comment #18 from Sake <sake@xxxxxxxxxx>  2009-10-27 23:59:57 PDT ---
(In reply to comment #17)
> 
> Sorry I lost the reply in my attachment. The file attached indicates the issue,
> the response is reassambled yet the line text with a 400 message is dropped.
> Guess there is no way round this

Well, when reassembly is enabled, only the packet with the last segment will
have upper-layer dissection and only this packet will be displayed and/or
saved. When the first segment contains enough information to make the display
filter work, then you could disable reassembly. Of course you will get only the
first TCP segment of the HTTP responses, but it looks like this is the info you
seek. Here is how you can do it in tshark:

$ tshark r trace-raw.pcap -R http.response.code==400
 14   0.161606  10.66.27.175 -> 10.76.16.1   HTTP HTTP/1.1 400 Bad request 
(text/html)

$ tshark -o tcp.desegment_tcp_streams:FALSE -r trace-raw.pcap -R
http.response.code==400
  7   0.062142  10.66.27.175 -> 10.76.16.1   HTTP HTTP/1.1 400 Bad request

As you can see, now frame 7 (in which the first part of the response is
present) is displayed instead of frame 14 (which contains the last part of the
response).


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.