Q. on Tshark & Reassembled TCP segments

[sift sans <sift.fan () gmail com>]

Is it possible to use Tshark to carve HTTP fields from an HTTP header
that's large enough to get divided up into multiple packets? In Wireshark,
this large/oversized HTTP header becomes displayed in reassembled TCP
segments. I can see the HTTP header in the ASCII section by finding the
frame that contains all of the reassembled TCP segments and clicking on the
"Reassembled TCP" tab at the bottom of the screen. I can see the full HTTP
header by again finding the frame containing all of the reassembled TCP
segments, right clicking on (for example) "[4 Reassembled TCP Segments
(4255 bytes): #88238(1460) #88239(1460), #88240(1335), #88246(0)]", and
selecting "Show Packet Bytes...". All of the fields of the HTTP header are
fully decoded as normal and this display is similar to displaying the
"Follow TCP Stream" window.

Since my .pcap file has many HTTP sessions like this, how could I use
Tshark to carve HTTP fields from an HTTP header that's divided up into
multiple TCP segments?

Thanks,
KennyH.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe