Wireshark-users: [Wireshark-users] Q. on Tshark & Reassembled TCP segments

Date Prev · Date Next · Thread Prev · Thread Next
From: sift sans <sift.fan@xxxxxxxxx>
Date: Wed, 6 Dec 2017 14:55:40 -0600
Is it possible to use Tshark to carve HTTP fields from an HTTP header that's large enough to get divided up into multiple packets? In Wireshark, this large/oversized HTTP header becomes displayed in reassembled TCP segments. I can see the HTTP header in the ASCII section by finding the frame that contains all of the reassembled TCP segments and clicking on the "Reassembled TCP" tab at the bottom of the screen. I can see the full HTTP header by again finding the frame containing all of the reassembled TCP segments, right clicking on (for example) "[4 Reassembled TCP Segments (4255 bytes): #88238(1460) #88239(1460), #88240(1335), #88246(0)]", and selecting "Show Packet Bytes...". All of the fields of the HTTP header are fully decoded as normal and this display is similar to displaying the "Follow TCP Stream" window.

Since my .pcap file has many HTTP sessions like this, how could I use Tshark to carve HTTP fields from an HTTP header that's divided up into multiple TCP segments?

Thanks,
KennyH.