Wireshark · Wireshark-users: Re: [Wireshark-users] Betr: Re: Reassembly of HTTP packets

Wireshark-users: Re: [Wireshark-users] Betr: Re: Reassembly of HTTP packets

From: Daniel Gramsch <dagra@xxxxxx>

Date: Tue, 12 Aug 2008 07:08:25 +0200

Hello Joan, hello Abhik,

thanks for your guidance. I think your proposals can help me so far.

@ Joan

I did already found the proposed column option:

"You can use in T|Wireshark a display filter: tcp.segments.
This gives you an overview of which packets contain Reassembled TCP Segments.
Packet Details (middle pane) shows you the frame numbers and payload.
"

But your proposal below seems not to work with my wireshark installation (1.0.2) under WinXP. It just filters out the reassembled packet,
not the single fragments. May be it will work, when switching to my linux installation ;-).

Choose a frame number you want to work on.
Next you can use display filter: tcp.reassembled_in==[frame number].Edit > Mark All PacketsNote: don' forget to mark the frame with the reassembled PDU as well,because this packet is not included in the selection.
Save the marked packets.

However, I think I can "work around" this manually and with the help ofsome scripting when exporting the reassembled packets and parsing andremoving/editing the according entries in my list. Thanks a lot again!


Greetings,
Daniel

Hi Daniel,

You can use in T|Wireshark a display filter: tcp.segments.
This gives you an overview of which packets contain Reassembled TCP Segments.
Packet Details (middle pane) shows you the frame numbers and payload.

Choose a frame number you want to work on.

Next you can use display filter: tcp.reassembled_in==[frame number].Edit > Mark All PacketsNote: don' forget to mark the frame with the reassembled PDU as well,because this packet is not included in the selection.

Save the marked packets.

Somehow display filter tcp.reassembled_in doesn't work in Tshark and I cann't
figure out why ;-(

Next you can use Tshark|awk to show you the frame numbers, frame length and
total.
$ tshark -r yourfile.cap -T fields -e frame.number -e frame.len | awk
'sum = sum + $2;END { print "Total: " sum }'
Output:
1       1514
2       1514
3       1514
 snip
35      1514
36      1514
37      1021
Total: 55525

===
Export Selected Packet Bytes....

Display filter tcp.segments
Select the packet which contents you want to save.

Look in Packet Details (middle pane) "Line-based text data: text/html.
Note: the description depends on the kind of data
p.e. 	Compuserve GIF, Version: GIF 89a

Media Type

Select the line; right-click, choose Export Selected Packet Bytes...
and save as... (depending on kind of data)

Hope this helps somehow ;-)
Joan

On Sun, 10 Aug 2008 17:25:43 +0200 Daniel Gramsch wrote:
Hello Abhik,

very fast ;-) - thank you! But I am not looking for the content of the reassembled
packets, just for the overall packet size.
The window under the menu (File > Export > Object > HTTP) seems to contain
these information, so how can I exctract the two columns (packet num and
bytes)
from there? Just copy it and save this window content into a text file is
not possible or am I wrong?

What I want to have at last is a kind of list in the following way:

http packet size 100	( this packet does not need to be reassembled, cause
it fits in a single tcp packet )
http packet size 1460	( this packet does not need to be reassembled, cause
it fits in a single tcp packet )
http packez size 1461 	( one http packet but from reassembled tcp packets
)
http packet size 2083	( one http packet but from reassembled tcp packets
)

And is it possible to get the "File > Export > Object > HTTP" information
via tshark?
As I said I just need the reassembled packet sizes and of course the packet
number.

Thanks a lot again,
Daniel

Hello Daniel,

Yes, this is very much possible from the menu:
File > Export > Object > HTTP

Hope this helps
Abhik

On Sun, Aug 10, 2008 at 4:55 PM, Daniel Gramsch <dagra@xxxxxx> wrote:
Hello,

is it possible to view (and export) only reassembled HTTP packets in
wireshark, even when their length is larger than the maximum
transmission unit of an ip packet? I will give an example:

tcp packet 1 contains some HTTP data . The data size is 1460 bytes,
which is the max possible tcp payload in my network.
tcp packet 2 contains the rest of the HTTP data. The data size is f.e.
900 bytes.

The reassembled HTTP packet size is therefore 2360 bytes. It would be
nice if there is a possibility where only this reassembled packets could
be viewed or better saved via wireshark. So how can this be done?

Thanks for your help,
Daniel
_____________________________

Follow-Ups:
- Re: [Wireshark-users] Betr: Re: Reassembly of HTTP packets
  - From: Abhik Sarkar

Prev by Date: Re: [Wireshark-users] Help with troubleshooting SQL and application server communication
Next by Date: Re: [Wireshark-users] Betr: Re: Reassembly of HTTP packets
Previous by thread: Re: [Wireshark-users] Help with troubleshooting SQL and application server communication
Next by thread: Re: [Wireshark-users] Betr: Re: Reassembly of HTTP packets
Index(es):
- Date
- Thread