Wireshark mailing list archives
Re: filter for ONLY initial get request
From: "Thierry Emmanuel" <Emmanuel.Thierry () technicolor com>
Date: Thu, 12 Aug 2010 10:09:52 +0200
-----Original Message----- From: Jeffs [mailto:jeffs () speakeasy net] Sent: mercredi 11 août 2010 22:08 To: Thierry Emmanuel Cc: Community support list for Wireshark Subject: Re: [Wireshark-users] filter for ONLY initial get request
I agree that not all websites have their main address as "www". But given that I am up until now unable to effectively remove all the extra domains that are captured and I am therefore bringing in a lot of extraneous domain names, I have to choose between the lesser of two evils -- lose some domains or pull in a lot of unwanted domain names that totally pollute my desired results.
It's a choice that I can understand. You are the only one to exactly know your needs and your contrainsts.
I wish there was a way to capture ONLY the initially requested URL that is either clicked or typed into the browser address bar.
So you might have to plugin the browser. :D
I was thinking that maybe a tap might solve this problem because it would capture only one half of a duplex conversation on one wire (the outgoing request) and thus only capture the requested URL.
I don't know if I clearly understand what you mean, but advertising links and meta content which are part of a page and which pollute your results don't come from the http response but subsequent requests made by the browser to get the additional content.
Your suggestion of parsing the data is indeed unique and intersting. Are you suggesting that dumpcap or ethereal would somehow interogate the link, follow it and then make a determination. This sounds like a very interesting prospect but I'm not fully sure I understand how it would work.
It were a solution a bit "violent". ;) This information could be extracted by a mime-type analyzer processing the content of the page. But I had forgot a more simpler solution. You can read the mime-type announced by the webserver, located in the "Content-type" field. As says RFC 2616, this information isn't required in the packet but in fact it is allmost always there. So when this field is present in the http response, you can parse it and check that the response is html, plain text, or xml. If it isn't, you can discard it (by this way, you'll be able to ignore images, videos, applets, javascript files, css files (less important because they are commonly hosted on the same domain), so a large part of noise. The difficulty is that if you extract the required url from the request, you have to make a relation between the request and the response and you might need scripting. You could bypass this limitation by working only on the response but I don't have studied that point especially. Best regards ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: filter for ONLY initial get request, (continued)
- Re: filter for ONLY initial get request Sake Blok (Aug 09)
- Re: filter for ONLY initial get request Sake Blok (Aug 09)
- Re: filter for ONLY initial get request Jeffs (Aug 09)
- Re: filter for ONLY initial get request Jeffs (Aug 09)
- Re: filter for ONLY initial get request Sake Blok (Aug 09)
- Re: filter for ONLY initial get request Jeffs (Aug 10)
- Re: filter for ONLY initial get request Sake Blok (Aug 11)
- Re: filter for ONLY initial get request Jeffs (Aug 11)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 11)
- Re: filter for ONLY initial get request Jeffs (Aug 11)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
- Re: filter for ONLY initial get request Sake Blok (Aug 12)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
- Re: filter for ONLY initial get request Sake Blok (Aug 12)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
- Re: filter for ONLY initial get request Jeffs (Aug 12)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
- Re: filter for ONLY initial get request Jeffs (Aug 12)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 13)
- Re: filter for ONLY initial get request Jeffs (Aug 13)
- Re: filter for ONLY initial get request Martin Visser (Aug 15)