Re: Hex Offset Needed

[Abhijit Bare <abhibare () gmail com>]

Hi John,

Can you use "http/1.1" string as an indicator of response code? Only HTTP
response packets have "http/1.1" or "http/1.0" (case can be upper) followed
by a <space> followed by http response code (look for one digit). If you can
parse this out while stream is coming in and that digit is "0", will that
mean that you have found the packet? HTTP request also has "http/1.1", but
there is generally no space and digit following it. Other traffic may not
have the same pattern too.

Thanks,
Abhijit

On Tue, Mar 2, 2010 at 5:09 AM, Sheahan, John <John.Sheahan () priceline com>wrote:

>  Good points Martin.
>
>
>
> You’re right about there being no HTTP response code of 0.
>
>
>
> The software that the web guys use to analyze the front end web traffic
> will put a “0” in if it finds a packet that has an http accept and for some
> reason the HTTP response code is missing or unreadable and these are the
> packets that I’m trying to capture however there is so much HTTP traffic on
> the web segment that my buffer fills up in seconds so I need to try and
> narrow it down with a filter.
>
>
>
> The only things I have to go by are:
>
>
>
> 1.       Sometimes the HTTP Response code can’t be read.
>
> 2.       The problem seems to come from Safari browsers on MAC machines
>
>
>
> Since the User Agent data comes after a variable length Accept field as you
> point out, wouldn’t be easier for me at this point to filter on just Accept
> messages? I think if I do it this way, it will take a good amount of time to
> fill up the buffer and I can look to the web admins to tell me when they see
> the error in their logs and match it up that way?
>
>
>
> Thanks for the help
>
>
>
> John
>
>
>
> *From:* wireshark-users-bounces () wireshark org [mailto:
> wireshark-users-bounces () wireshark org] *On Behalf Of *Martin Visser
> *Sent:* Monday, March 01, 2010 9:53 PM
>
> *To:* Community support list for Wireshark
> *Subject:* Re: [Wireshark-users] Hex Offset Needed
>
>
>
> John,
>
>
>
> This is a bit tricky. Firstly I don't believe that there is a HTTP response
> code (or status code) with a value of "0"
>
>
>
> (See http://en.wikipedia.org/wiki/List_of_HTTP_status_codes and the RFCs )
>
>
>
> Also the HTTP "User-Agent" is going to go out in the request, and is not
> seen in the response. So whatever you do needs to be "stateful" knowing that
> the response is associated with a particular requests.
>
>
>
> Also I don't think there is a guarantee and on the "offset" in a packet
> where the response code will be and almost certainly not for the
> "User-Agent"  string as it usually preceded by the "Accept" string which is
> quite variable amongst browsers.
>
>
>
> However you can use the Wireshark "Packet Bytes" pane (usually at the
> bottom of the window) to see if you cand devise something that is a "good
> enough" filter to limit what you capture and then refine it further with
> Wireshark to do it properly.
>
>
>
>
>
>
> Regards, Martin
>
> MartinVisser99 () gmail com
>
>  On Tue, Mar 2, 2010 at 11:36 AM, Sheahan, John <
> John.Sheahan () priceline com> wrote:
>
> Another way for me  to track this problem down is for me to sniff all
> Safari browsers on MAC’s using HTTP coming into our webservers.
>
>
>
> I will need to create a filter using the offset values for:
>
>
>
> HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en)
>
>
>
> Can anyone help me this together?
>
>
>
> Thanks
>
>
>
> john
>
>
>
>
>
>
>
> *From:* wireshark-users-bounces () wireshark org [mailto:
> wireshark-users-bounces () wireshark org] *On Behalf Of *Sheahan, John
> *Sent:* Monday, March 01, 2010 5:38 PM
> *To:* 'Community support list for Wireshark'
> *Subject:* [Wireshark-users] Hex Offset Needed
>
>
>
> I am trying to troubleshoot an HTTP problem where the StatusCode=0 in the
> HTTP header.
>
>
> I need to capture packets containing this parameter but since I am doing it
> on a Netscout probe, I have no way to figure out the offset of this in a
> packet.
>
>
>
> Can anyone tell me what hex offset I would need to put in as a filter to
> capture these packets?
>
>
>
> Thanks
>
>
>
> John
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe