Wireshark mailing list archives
Re: Hex Offset Needed
From: Martin Visser <martinvisser99 () gmail com>
Date: Tue, 2 Mar 2010 13:52:39 +1100
John, This is a bit tricky. Firstly I don't believe that there is a HTTP response code (or status code) with a value of "0" (See http://en.wikipedia.org/wiki/List_of_HTTP_status_codes and the RFCs ) Also the HTTP "User-Agent" is going to go out in the request, and is not seen in the response. So whatever you do needs to be "stateful" knowing that the response is associated with a particular requests. Also I don't think there is a guarantee and on the "offset" in a packet where the response code will be and almost certainly not for the "User-Agent" string as it usually preceded by the "Accept" string which is quite variable amongst browsers. However you can use the Wireshark "Packet Bytes" pane (usually at the bottom of the window) to see if you cand devise something that is a "good enough" filter to limit what you capture and then refine it further with Wireshark to do it properly. Regards, Martin MartinVisser99 () gmail com On Tue, Mar 2, 2010 at 11:36 AM, Sheahan, John <John.Sheahan () priceline com>wrote:
Another way for me to track this problem down is for me to sniff all Safari browsers on MAC’s using HTTP coming into our webservers. I will need to create a filter using the offset values for: HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en) Can anyone help me this together? Thanks john *From:* wireshark-users-bounces () wireshark org [mailto: wireshark-users-bounces () wireshark org] *On Behalf Of *Sheahan, John *Sent:* Monday, March 01, 2010 5:38 PM *To:* 'Community support list for Wireshark' *Subject:* [Wireshark-users] Hex Offset Needed I am trying to troubleshoot an HTTP problem where the StatusCode=0 in the HTTP header. I need to capture packets containing this parameter but since I am doing it on a Netscout probe, I have no way to figure out the offset of this in a packet. Can anyone tell me what hex offset I would need to put in as a filter to capture these packets? Thanks John ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Hex Offset Needed Sheahan, John (Mar 01)
- Re: Hex Offset Needed Sheahan, John (Mar 01)
- Re: Hex Offset Needed Martin Visser (Mar 01)
- Re: Hex Offset Needed Sheahan, John (Mar 02)
- Re: Hex Offset Needed Abhijit Bare (Mar 03)
- Re: Hex Offset Needed Sake Blok (Mar 03)
- Re: Hex Offset Needed Martin Visser (Mar 03)
- Re: Hex Offset Needed Guy Harris (Mar 03)
- Re: Hex Offset Needed Guy Harris (Mar 03)
- Re: Hex Offset Needed Sake Blok (Mar 03)
- Re: Hex Offset Needed Martin Visser (Mar 01)
- Message not available
- Re: Hex Offset Needed Sake Blok (Mar 03)
- Re: Hex Offset Needed Sheahan, John (Mar 01)