Wireshark-users: Re: [Wireshark-users] Betr: Re: Reassembly of HTTP packets

From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx>
Date: Tue, 12 Aug 2008 10:30:10 +0400
Hi Daniel,

Just wanted to point out something... Joan suggested frame.len while I
had suggested tcp.len. frame.len will always be populated and will
contain the length of the entire frame (including ethernet/ip/tcp);
however, tcp,.len will only be populated in case the frame contains a
segment of a reassembled TCP payload and will contain the length of
the TCP payload only.

Regards,
Abhik.

On Tue, Aug 12, 2008 at 9:08 AM, Daniel Gramsch <dagra@xxxxxx> wrote:
> Hello Joan, hello Abhik,
>
> thanks for your guidance. I think your proposals can help me so far.
>
> @ Joan
>
> I did already found the proposed column option:
>
> "You can use in T|Wireshark a display filter: tcp.segments.
> This gives you an overview of which packets contain Reassembled TCP Segments.
> Packet Details (middle pane) shows you the frame numbers and payload.
> "
>
> But your proposal below seems not to work with my wireshark installation (1.0.2) under WinXP. It just filters out the reassembled packet,
> not the single fragments. May be it will work, when switching to my linux installation ;-).
>
>>Choose a frame number you want to work on.
>>Next you can use display filter: tcp.reassembled_in==[frame number].
>>Edit > Mark All Packets
>>Note: don' forget to mark the frame with the reassembled PDU as well,
>>because this packet is not included in the selection.
>>Save the marked packets.
>
> However, I think I can "work around" this manually and with the help of
> some scripting when exporting the reassembled packets and parsing and
> removing/editing the according entries in my list. Thanks a lot again!
>
> Greetings,
> Daniel
>
>>Hi Daniel,
>>
>>You can use in T|Wireshark a display filter: tcp.segments.
>>This gives you an overview of which packets contain Reassembled TCP Segments.
>>Packet Details (middle pane) shows you the frame numbers and payload.
>>
>>Choose a frame number you want to work on.
>>Next you can use display filter: tcp.reassembled_in==[frame number].
>>Edit > Mark All Packets
>>Note: don' forget to mark the frame with the reassembled PDU as well,
>>because this packet is not included in the selection.
>>Save the marked packets.
>>
>>Somehow display filter tcp.reassembled_in doesn't work in Tshark and I cann't
>>figure out why ;-(
>>
>>Next you can use Tshark|awk to show you the frame numbers, frame length and
>>total.
>>$ tshark -r yourfile.cap -T fields -e frame.number -e frame.len | awk
>> 'sum = sum + $2;END { print "Total: " sum }'
>>Output:
>>1       1514
>>2       1514
>>3       1514
>>  snip
>>35      1514
>>36      1514
>>37      1021
>>Total: 55525
>>
>>===
>>Export Selected Packet Bytes....
>>
>>Display filter tcp.segments
>>Select the packet which contents you want to save.
>>
>>Look in Packet Details (middle pane) "Line-based text data: text/html.
>>Note: the description depends on the kind of data
>>p.e.   Compuserve GIF, Version: GIF 89a
>>                       Media Type
>>
>>Select the line; right-click, choose Export Selected Packet Bytes...
>>and save as... (depending on kind of data)
>>
>>Hope this helps somehow ;-)
>>Joan
>>
>>On Sun, 10 Aug 2008 17:25:43 +0200 Daniel Gramsch wrote:
>>Hello Abhik,
>>
>>very fast ;-) - thank you! But I am not looking for the content of the reassembled
>>packets, just for the overall packet size.
>>The window under the menu (File > Export > Object > HTTP) seems to contain
>>these information, so how can I exctract the two columns (packet num and
>>bytes)
>>from there? Just copy it and save this window content into a text file is
>>not possible or am I wrong?
>>
>>What I want to have at last is a kind of list in the following way:
>>
>>http packet size 100   ( this packet does not need to be reassembled, cause
>>it fits in a single tcp packet )
>>http packet size 1460  ( this packet does not need to be reassembled, cause
>>it fits in a single tcp packet )
>>http packez size 1461  ( one http packet but from reassembled tcp packets
>>)
>>http packet size 2083  ( one http packet but from reassembled tcp packets
>>)
>>
>>And is it possible to get the "File > Export > Object > HTTP" information
>>via tshark?
>>As I said I just need the reassembled packet sizes and of course the packet
>>number.
>>
>>Thanks a lot again,
>>Daniel
>>
>>
>>>Hello Daniel,
>>
>>>Yes, this is very much possible from the menu:
>>>File > Export > Object > HTTP
>>
>>>Hope this helps
>>>Abhik
>>
>>> On Sun, Aug 10, 2008 at 4:55 PM, Daniel Gramsch <dagra@xxxxxx> wrote:
>>> Hello,
>>>
>>> is it possible to view (and export) only reassembled HTTP packets in
>>> wireshark, even when their length is larger than the maximum
>>> transmission unit of an ip packet? I will give an example:
>>>
>>> tcp packet 1 contains some HTTP data . The data size is 1460 bytes,
>>> which is the max possible tcp payload in my network.
>>> tcp packet 2 contains the rest of the HTTP data. The data size is f.e.
>>> 900 bytes.
>>>
>>> The reassembled HTTP packet size is therefore 2360 bytes. It would be
>>> nice if there is a possibility where only this reassembled packets could
>>> be viewed or better saved via wireshark. So how can this be done?
>>>
>>> Thanks for your help,
>>> Daniel
>>> _____________________________
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>