Wireshark-bugs: [Wireshark-bugs] [Bug 12855] Follow TCP Stream shows duplicate stream data
Date: Mon, 03 Oct 2016 01:53:13 +0000

Comment # 12 on bug 12855 from
(In reply to Peter Wu from comment #5)
> tshark
> master:
> ===================================================================
> Follow: tcp,hex
> Filter: tcp.stream eq 0
> Node 0: 10.0.0.1:32323
> Node 1:
> 10.0.0.2:80
> 00000010  50 55 54 20 2f 20 48 54  54 50 2f 31 2e 31 0d 0a  PUT
> / HT TP/1.1..
> 00000020  50 55 54 20 2f 20 48 54  54 50 2f 31 2e 31 0d 0a 
> PUT / HT TP/1.1..
> 00000030  50 55 54 20 2f 20 48 54  54 50 2f 31 2e 31 0d 0a
> PUT / HT TP/1.1..
> 00000040  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20
> Content- Length:
> 00000050  36 0d 0a                                         
> 6..
> 00000053  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20  Content-
> Length:
> 00000063  36 0d 0a                                          6..
> 00000066  50 55 54 20 2f 20 48 54  54 50 2f 31 2e 31 0d 0a  PUT / HT
> TP/1.1..
> 00000076  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20 
> Content- Length:
> 00000086  36 0d 0a 0d 0a                                   
> 6....
> 0000008B  0d 0a                                             ..
> 0000008D  32 0a                                             2.
> 0000008F  33
> 0a                                             3.
> ===================================================================

The "old" Follow TCP stream (2.0 and older) would write the TCP stream to a
file and then reread it, effectively giving it a "second pass" (regardless of
*shark).  The "current" Follow TCP stream (2.2 and master) uses just the tap
interface, so if you don't specify -2 on the TShark command line, you can get
drastically different results.

Here's what I got with
tshark.exe -2r "c:\Wireshark Test Files\follow_tcp\tcp80.pcap" -z
follow,tcp,hex,0

===================================================================
Follow: tcp,hex
Filter: tcp.stream eq 0
Node 0: 10.0.0.1:32323
Node 1: 10.0.0.2:80
00000000  50 55 54 20 2f 20 48 54  54 50 2f 31 2e 31 0d 0a  PUT / HT TP/1.1..
00000010  50 55 54 20 2f 20 48 54  54 50 2f 31 2e 31 0d 0a  PUT / HT TP/1.1..
00000020  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20  Content- Length:
00000030  36 0d 0a                                          6..
00000033  0d 0a                                             ..
00000035  32 0a                                             2.
00000037  33 0a                                             3.
===================================================================

Still not correct, but closer to original issue showed by submitter's capture
file.
Pascal's patch (https://code.wireshark.org/review/17749) does correctly affect
the orginal capture file, but doesn't alter the behavior of tcp80.pcap.


You are receiving this mail because:
  • You are watching all bug changes.