Ok. when I read trace with tshark option –X it gives me reassembled
packet payload in the very last packet. Problem is that when I use –r
option to write it to other file it puts there only fragmented part of
the packet not the reassembled one. Do you have any clue for this?
Regards,
Marcin
Marcin pisze:
Ok thanks! Another question is:
My case is bit particular. My trace consists of:
1) UDP packets of interest, identified by the particular payload
bytes (most of them are fragmented)
2) All the IP packets that are fragmented (this is done in such
way to be able to catch all the parts)
So my trace is huge, can I make tshark to reassemble only the packets
that interest me? I’m worried about the performance in other case.
Also what I will see in the output trace? Only reassembled packets or
also the fragmented parts?
Marcin
Joerg Mayer pisze:
On Wed, Sep 19, 2007 at 11:09:41AM +0200, Marcin wrote:
Is there a way to merge all the fragmented IP packets and them
output them into separate trace? I Would need smth. like:
tshark ???r intrace ???w outrace
to have all the packets merged inside the outrace. I then need to
access full payload of the merged packets.
In a newly installed setting wireshark (and tshark) will automagically
reassemble fragmented ip packets: The last fragment will dissect like
the whole packet. This behaviour can be changed via preferences.
ciao
Joerg
----------------------------------------------------------------------
To takie proste - u�yj telefonu
http://link.interia.pl/f1b9c
------------------------------------------------------------------------
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
----------------------------------------------------------------------
To takie proste - u¿yj telefonu
http://link.interia.pl/f1b9c
