Wireshark mailing list archives

Re: filter for ONLY initial get request

From: Martin Visser <martinvisser99 () gmail com>
Date: Mon, 16 Aug 2010 10:37:52 +1000

tcp.stream has been available since 1.2.0 from me recollection.

Regards, Martin

MartinVisser99 () gmail com


On Sat, Aug 14, 2010 at 8:12 AM, Jeffs <jeffs () speakeasy net> wrote:

Any idea on where to start? :-[

I'm not great on bash scripting.  What would be helpful to know is
this and maybe you could provide me guidance since you understand the
structure of .cap files better than I do:

Would the flow of the script be to loop through the .cap file pulling
out data that has GET request and the associated domain, then, while
in that part of the loop, pull back the http.content_type value, and
if that value="text/html" output the domain name it just saved, to a
separate file?

Then move onto the next line?

Do you think that logic would work?

To be honest, I don't really know the structure of a capture file. My use

of Wireshark consists mainly in the use of the GUI (and some other strange
things;)  ).


Anyway, what you present doesn't seems illogic to me. I would precise :
- Filter packets with a filter http.request, displaying the tcp.stream

field

- Iterate through those lines
- At each line, reload the file using a filter

http.content_type=="text/html"&&  tcp.stream==streamid to get the link


But you can also make it by the other direction :
- Filter using http.content_type=="text/html", displaying the tcp.stream

field

- Iterate and backup every tcp.stream
- Filter again using http.request, displaying the tcp.stream field
- Iterate and get every domain corresponding to a tcp.stream that you

have previously backed up

With this logic, you have a great algorithmic gain.

I suggest you to ask your question to the list, not to me directly.

Best regards.

I cannot find the expression tcp.stream in the wireshark expression list.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Re: filter for ONLY initial get request, (continued)
- - - Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
    - Re: filter for ONLY initial get request Sake Blok (Aug 12)
    - Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
    - Re: filter for ONLY initial get request Sake Blok (Aug 12)
    - Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
    - Re: filter for ONLY initial get request Jeffs (Aug 12)
    - Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
    - Re: filter for ONLY initial get request Jeffs (Aug 12)
    - Re: filter for ONLY initial get request Thierry Emmanuel (Aug 13)
    - Re: filter for ONLY initial get request Jeffs (Aug 13)
    - Re: filter for ONLY initial get request Martin Visser (Aug 15)
    - Re: filter for ONLY initial get request Jeffs (Aug 12)
    - libwsutil.so.0 => not found running tshark Jeffs (Aug 09)
    - Re: libwsutil.so.0 => not found running tshark Jeff Morriss (Aug 10)