Wireshark-bugs: [Wireshark-bugs] [Bug 12855] Follow TCP Stream shows duplicate stream data
Comment # 12
on bug 12855
from Michael Mann
(In reply to Peter Wu from comment #5)
> tshark
> master:
> ===================================================================
> Follow: tcp,hex
> Filter: tcp.stream eq 0
> Node 0: 10.0.0.1:32323
> Node 1:
> 10.0.0.2:80
> 00000010 50 55 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a PUT
> / HT TP/1.1..
> 00000020 50 55 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a
> PUT / HT TP/1.1..
> 00000030 50 55 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a
> PUT / HT TP/1.1..
> 00000040 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20
> Content- Length:
> 00000050 36 0d 0a
> 6..
> 00000053 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-
> Length:
> 00000063 36 0d 0a 6..
> 00000066 50 55 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a PUT / HT
> TP/1.1..
> 00000076 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20
> Content- Length:
> 00000086 36 0d 0a 0d 0a
> 6....
> 0000008B 0d 0a ..
> 0000008D 32 0a 2.
> 0000008F 33
> 0a 3.
> ===================================================================
The "old" Follow TCP stream (2.0 and older) would write the TCP stream to a
file and then reread it, effectively giving it a "second pass" (regardless of
*shark). The "current" Follow TCP stream (2.2 and master) uses just the tap
interface, so if you don't specify -2 on the TShark command line, you can get
drastically different results.
Here's what I got with
tshark.exe -2r "c:\Wireshark Test Files\follow_tcp\tcp80.pcap" -z
follow,tcp,hex,0
===================================================================
Follow: tcp,hex
Filter: tcp.stream eq 0
Node 0: 10.0.0.1:32323
Node 1: 10.0.0.2:80
00000000 50 55 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a PUT / HT TP/1.1..
00000010 50 55 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a PUT / HT TP/1.1..
00000020 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content- Length:
00000030 36 0d 0a 6..
00000033 0d 0a ..
00000035 32 0a 2.
00000037 33 0a 3.
===================================================================
Still not correct, but closer to original issue showed by submitter's capture
file.
Pascal's patch (https://code.wireshark.org/review/17749) does correctly affect
the orginal capture file, but doesn't alter the behavior of tcp80.pcap.
You are receiving this mail because:
- You are watching all bug changes.