Wireshark mailing list archives
Re: tshark option for reassembled fragment output
From: Christopher Maynard <Christopher.Maynard () gtech com>
Date: Sun, 3 Mar 2013 18:51:49 +0000 (UTC)
Hadriel Kaplan <HKaplan@...> writes:
BTW, some output from that bug's pcap with your filter: ./tshark -r testcapture.pcapng -R 'ip.src == 10.90.130.69 && ip.dst ==
10.90.130.66 && tcp.flags.push
== 1' 5 0.001054000 0.000050000 10.90.130.69 -> 10.90.130.66 HTTP/XML POST /urreq/rrurreq.dll/?soaprequest HTTP/1.1 ./tshark -r testcapture.pcapng -R 'ip.src == 10.90.130.69 && ip.dst ==
10.90.130.66 && tcp.flags.push
== 1' -2 1 0.001054000 0.000000000 10.90.130.69 -> 10.90.130.66 HTTP/XML POST /urreq/rrurreq.dll/?soaprequest HTTP/1.1 ./tshark -r testcapture.pcapng -Y 'ip.src == 10.90.130.69 && ip.dst ==
10.90.130.66 && tcp.flags.push
== 1' 4 0.001004000 0.000886000 10.90.130.69 -> 10.90.130.66 TCP [TCP segment of a
reassembled PDU]
5 0.001054000 0.000050000 10.90.130.69 -> 10.90.130.66 HTTP/XML POST /urreq/rrurreq.dll/?soaprequest HTTP/1.1 Note that last one is what my patch is doing with the '-Y' mode. If this
replaces one of the current modes
instead of being a new one, I'll make it stop printing the fragments out. I
couldn't decide if it seemed odd
or not to print them, but I figured if it was a new option to do this
reassembly thing anyway, that the user
could just not use it if they were printing to stdout and din't want to see
the fragments. I think there is a difference between displaying the packets matching the filter and saving the packets matching the filter to another pcap file. In the former case, Wireshark does not display packets that don't match the display filter; I think tshark should behave the same way. Only when you save packets off to another pcap file do the dependencies also get saved using Wireshark. That's what I think tshark should do here as well. And currently Wireshark does not allow you *NOT* to save those dependencies -
From Jeff's commit message, "Also, this behavior is always the case: you can't
save the displayed packets without their dependencies (I don't see why this would be desirable)." So, tshark might as well act similarly. I suggest dispensing with the -Y option and just save all packet dependencies when using the -2 and -w <outfile> options. Displaying packets should not change. I'm curious what Jeff thinks though since he wrote the code for Wireshark. - Chris ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: tshark option for reassembled fragment output, (continued)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 02)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 03)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 03)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 03)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 03)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 02)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 03)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 03)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 03)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 04)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 03)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 03)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 03)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 03)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 03)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 03)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 04)