Apolgies, I set my message settings to digest so I didn't get the individual mail to reply to. Can you reply to your message on the board and so I'll now receive it in my mail and a single mail (rather than part of the digest, I new to mailing lists like this, sorry!)?
Anyway yes that helps in so far as it gets rid of all non-HTTP packets but there are times when I need the TCP packets. I'm not entirely sure if I need each one or just the ones that come as part of the standard protocol packets (POP, HTTP etc). In this app I parse instant messages, email (web and pop) and http stuff. I'll investigate my code base and figure out if I reall do need to those single tcp packets (quite probable I don't). Thanks, JP On Thu, 23 Oct 2008 12:54:20 +0100, John Paul Sheridan <[EMAIL PROTECTED]> wrote: > Hi all, > > First time post. > > I'm developing a java based app that uses tshark as the underlying > capture mechanism. I set up tshark and set capture filters and output > the data in PDML format (which is captured via stdin in my Java app and > parsed via SAX). > > I've created a stream manager that holds stream objects. Each stream > contains all packets belonging to the communication between a client and > server i.e. each packet sent between the client/server for any one TCP > Stream. > > For the purpose of this mail I'm targetting HTTP. > > I capture all TCP packets and add them to the appropriate stream. When > I come across a HTTP message I add this to the same stream. In my > capture file that I use for testing I have HTTP request and HTTP > response. So the first 3 packets are those of the TCP handshake (SYN, > SYN_ACK and ACK). The fourth packet would normally be the HTTP request > but due to the fact the segments are split up and then reassembled I > actually have four extra TCP packets that I don't need (yes I know they > are needed but I only want the reassembled one). Here are some packet > details > > Handshake > --------- > 1. SYN from Client > 2. SYN_ACK from Server > 3. ACK from Client > > Extra packets > ------------- > 4. RST_ACK from Client > 5. ACK from Client (TCP segment of a reassembled PDU) > 6. ACK from Client (TCP segment of a reassembled PDU) > 7. PSH_ACK from Client (TCP segment of a reassembled PDU) > > HTTP Request > ------------ > 8. PSH_ACK HTTP Request from Client (POST method) > > From what I understand that PDUs can be split across segments for two > main reasons: > 1. Some packets are missing (not in my case) > 2. Size of info based on segment means it has to be split > > I need the fact wireshark can reassemble the data into another packet so > I'm not willing to turn reassembly off. > > I dont want to see the extra TCP segment packets in my PDML stream, only > the reassembled ones. Is there a filter (capture or display) that I can > set with t-shark to omit the segment packets from my PDML stream > (remember I use Wireshark for visual analysis of the data but tshark in > my java app? > > Thanks in advance, > JP > -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ _______________________________________________ Wireshark-dev mailing list [email protected] https://wireshark.org/mailman/listinfo/wireshark-dev
