Hi all,
First time post.
I'm developing a java based app that uses tshark as the underlying capture
mechanism. I set up tshark and set capture filters and output the data in
PDML format (which is captured via stdin in my Java app and parsed via
SAX).
I've created a stream manager that holds stream objects. Each stream
contains all packets belonging to the communication between a client and
server i.e. each packet sent between the client/server for any one TCP
Stream.
For the purpose of this mail I'm targetting HTTP.
I capture all TCP packets and add them to the appropriate stream. When I
come across a HTTP message I add this to the same stream. In my capture
file that I use for testing I have HTTP request and HTTP response. So the
first 3 packets are those of the TCP handshake (SYN, SYN_ACK and ACK).
The fourth packet would normally be the HTTP request but due to the fact
the segments are split up and then reassembled I actually have four extra
TCP packets that I don't need (yes I know they are needed but I only want
the reassembled one). Here are some packet details
Handshake
---------
1. SYN from Client
2. SYN_ACK from Server
3. ACK from Client
Extra packets
-------------
4. RST_ACK from Client
5. ACK from Client (TCP segment of a reassembled PDU)
6. ACK from Client (TCP segment of a reassembled PDU)
7. PSH_ACK from Client (TCP segment of a reassembled PDU)
HTTP Request
------------
8. PSH_ACK HTTP Request from Client (POST method)
From what I understand that PDUs can be split across segments for two main
reasons:
1. Some packets are missing (not in my case)
2. Size of info based on segment means it has to be split
I need the fact wireshark can reassemble the data into another packet so
I'm not willing to turn reassembly off.
I dont want to see the extra TCP segment packets in my PDML stream, only
the reassembled ones. Is there a filter (capture or display) that I can
set with t-shark to omit the segment packets from my PDML stream (remember
I use Wireshark for visual analysis of the data but tshark in my java app?
Thanks in advance,
JP
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/