|Main Archive Page > Month Archives > wireshark-users archives|
That's bug 3315 , which you may be able to work around by
adding "or ip.flags.mf==1" to your filter expression (if IP
fragmentation is applicable).
On Tue, 12 Oct 2010
15:38:31 +0200, "Gerd Windisch" wrote:
I am trying to
filter all GET-requests to a certain server out of a PCAP file. The
display filter rule I use is "http.host contains servername". This works
fine as long as I am having the complete PCAP file. Then I save the
filtered packets in a new PCAP file. When I in turn open this PCAP file,
the GET-requests, which weren't in a fragmented PDU, are shown
correctly. However, the others (the fragmented GET-requests) are now
displayed as "Continuation or non-HTTP traffic". I found out that the
dissection of the complete PCAP file makes use of packet data of
neighboring packets, which are not saved in the output PCAP file.
save procedure only saves the last packet of the fragmented PDU. Is
there any solution to save all required packets in the resulting PCAP
file, which allows for proper dissection later on?
Thanks in advance
for your help
Sent via: Wireshark-users mailing list <email@example.com>