Wireshark · Wireshark-users: [Wireshark-users] Betr: Re: Reassembly of HTTP packets

[j.snelders@xxxxxxxxxx]

Hi Daniel,

You can use in T|Wireshark a display filter: tcp.segments.
This gives you an overview of which packets contain Reassembled TCP Segments.
Packet Details (middle pane) shows you the frame numbers and payload.

Choose a frame number you want to work on.
Next you can use display filter: tcp.reassembled_in==[frame number]. 
Edit > Mark All Packets
Note: don' forget to mark the frame with the reassembled PDU as well, 
because this packet is not included in the selection.
Save the marked packets.

Somehow display filter tcp.reassembled_in doesn't work in Tshark and I cann't
figure out why ;-(

Next you can use Tshark|awk to show you the frame numbers, frame length and
total.
$ tshark -r yourfile.cap -T fields -e frame.number -e frame.len | awk
 'sum = sum + $2;END { print "Total: " sum }'
Output:
1       1514
2       1514
3       1514
  snip
35      1514
36      1514
37      1021
Total: 55525

===
Export Selected Packet Bytes....

Display filter tcp.segments
Select the packet which contents you want to save.

Look in Packet Details (middle pane) "Line-based text data: text/html.
Note: the description depends on the kind of data
p.e. 	Compuserve GIF, Version: GIF 89a
			Media Type 

Select the line; right-click, choose Export Selected Packet Bytes...
and save as... (depending on kind of data)

Hope this helps somehow ;-)
Joan

On Sun, 10 Aug 2008 17:25:43 +0200 Daniel Gramsch wrote:
>Hello Abhik,
>
>very fast ;-) - thank you! But I am not looking for the content of the reassembled
>packets, just for the overall packet size.
>The window under the menu (File > Export > Object > HTTP) seems to contain
>these information, so how can I exctract the two columns (packet num and
>bytes)
>from there? Just copy it and save this window content into a text file is
>not possible or am I wrong?
>
>What I want to have at last is a kind of list in the following way:
>
>http packet size 100	( this packet does not need to be reassembled, cause
>it fits in a single tcp packet )
>http packet size 1460	( this packet does not need to be reassembled, cause
>it fits in a single tcp packet )
>http packez size 1461 	( one http packet but from reassembled tcp packets
>)
>http packet size 2083	( one http packet but from reassembled tcp packets
>)
>
>And is it possible to get the "File > Export > Object > HTTP" information
>via tshark?
>As I said I just need the reassembled packet sizes and of course the packet
>number.
>
>Thanks a lot again,
>Daniel
>
>
>>Hello Daniel,
>
>>Yes, this is very much possible from the menu:
>>File > Export > Object > HTTP
>
>>Hope this helps
>>Abhik
>
>> On Sun, Aug 10, 2008 at 4:55 PM, Daniel Gramsch <dagra@xxxxxx> wrote:
>> Hello,
>>
>> is it possible to view (and export) only reassembled HTTP packets in
>> wireshark, even when their length is larger than the maximum
>> transmission unit of an ip packet? I will give an example:
>>
>> tcp packet 1 contains some HTTP data . The data size is 1460 bytes,
>> which is the max possible tcp payload in my network.
>> tcp packet 2 contains the rest of the HTTP data. The data size is f.e.
>> 900 bytes.
>>
>> The reassembled HTTP packet size is therefore 2360 bytes. It would be
>> nice if there is a possibility where only this reassembled packets could
>> be viewed or better saved via wireshark. So how can this be done?
>>
>> Thanks for your help,
>> Daniel
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-users
>>
>
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>https://wireshark.org/mailman/listinfo/wireshark-users