Wireshark mailing list archives
Re: filter for ONLY initial get request
From: Jeffs <jeffs () speakeasy net>
Date: Sun, 08 Aug 2010 00:56:17 -0400
On 8/8/2010 12:02 AM, David Alanis wrote:
Quoting Jeffs<jeffs () speakeasy net>:I am working on a project which requires that the traffic across the network grab ONLY the initial get request for http requests. Usually, if I use something like wireshark or justniffer, on a single user's get request for, say, http://www.nytimes.com, I will receive all the following traffic and then some, based on just one request to http://www.nytimes.com: nytimes.com timespeople.nytimes.com c.brightcove.com admin.brightcove.com graphics8.nytimes.com s0.2mdn.net Is there a way in wireshark or in any other network analysis tool to grab or filter out just the initial http request for the domain and disregard all the other follow up hosts (usually associated advertising) that accompanies these requests? In other words, all I want to log or see in the filter results, in the above example, would be: nytimes.com Thank you. ___________________________________________________________________________ Sent via: Wireshark-users mailing list<wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribeI put it a simple filter of: http.request || tcp contains domain.com and it appears to have accomplished what you asked. Cheers- ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ___________________________________________________________________________ Sent via: Wireshark-users mailing list<wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
That works if I know the domain name. In this scenario the nytimes.com domain was just used as an example. In the real world there will be no way of knowing what the domains will be that people surf to. I'm guessing there is no way within wireshark to extract ONLY the very first http get request from a transaction. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- filter for ONLY initial get request Jeffs (Aug 07)
- Re: filter for ONLY initial get request David Alanis (Aug 07)
- Re: filter for ONLY initial get request Jeffs (Aug 07)
- Re: filter for ONLY initial get request David Alanis (Aug 07)
- Re: filter for ONLY initial get request j.snelders (Aug 08)
- Re: filter for ONLY initial get request Jeffs (Aug 09)
- Re: filter for ONLY initial get request j.snelders (Aug 09)
- Re: filter for ONLY initial get request Sake Blok (Aug 09)
- Re: filter for ONLY initial get request Sake Blok (Aug 09)
- Re: filter for ONLY initial get request Jeffs (Aug 09)
- Re: filter for ONLY initial get request Jeffs (Aug 09)
- Re: filter for ONLY initial get request Sake Blok (Aug 09)
- Re: filter for ONLY initial get request Jeffs (Aug 10)
- Re: filter for ONLY initial get request Jeffs (Aug 07)
- Re: filter for ONLY initial get request David Alanis (Aug 07)