Hi all, First time post.
I'm developing a java based app that uses tshark as the underlying capture mechanism. I set up tshark and set capture filters and output the data in PDML format (which is captured via stdin in my Java app and parsed via SAX). I've created a stream manager that holds stream objects. Each stream contains all packets belonging to the communication between a client and server i.e. each packet sent between the client/server for any one TCP Stream. For the purpose of this mail I'm targetting HTTP. I capture all TCP packets and add them to the appropriate stream. When I come across a HTTP message I add this to the same stream. In my capture file that I use for testing I have HTTP request and HTTP response. So the first 3 packets are those of the TCP handshake (SYN, SYN_ACK and ACK). The fourth packet would normally be the HTTP request but due to the fact the segments are split up and then reassembled I actually have four extra TCP packets that I don't need (yes I know they are needed but I only want the reassembled one). Here are some packet details Handshake --------- 1. SYN from Client 2. SYN_ACK from Server 3. ACK from Client Extra packets ------------- 4. RST_ACK from Client 5. ACK from Client (TCP segment of a reassembled PDU) 6. ACK from Client (TCP segment of a reassembled PDU) 7. PSH_ACK from Client (TCP segment of a reassembled PDU) HTTP Request ------------ 8. PSH_ACK HTTP Request from Client (POST method) From what I understand that PDUs can be split across segments for two main reasons: 1. Some packets are missing (not in my case) 2. Size of info based on segment means it has to be split I need the fact wireshark can reassemble the data into another packet so I'm not willing to turn reassembly off. I dont want to see the extra TCP segment packets in my PDML stream, only the reassembled ones. Is there a filter (capture or display) that I can set with t-shark to omit the segment packets from my PDML stream (remember I use Wireshark for visual analysis of the data but tshark in my java app? Thanks in advance, JP -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ _______________________________________________ Wireshark-dev mailing list [email protected] https://wireshark.org/mailman/listinfo/wireshark-dev
