Filtering HTTP Get Requests in reassambled PDUs

["Gerd Windisch" <gerd.windisch () etit tu-chemnitz de>]

Dear all,

 

I am trying to filter all GET-requests to a certain server out of a PCAP
file. The display filter rule I use is "http.host contains servername". This
works fine as long as I am having the complete PCAP file. Then I save the
filtered packets in a new PCAP file. When I in turn open this PCAP file, the
GET-requests, which weren't in a fragmented PDU, are shown correctly.
However, the others (the fragmented GET-requests) are now displayed as
"Continuation or non-HTTP traffic".  I found out that the dissection of the
complete PCAP file makes use of packet data of neighboring packets, which
are not saved in the output PCAP file. 

The save procedure only saves the last packet of the fragmented PDU. Is
there any solution to save all required packets in the resulting PCAP file,
which allows for proper dissection later on? 

Thanks in advance for your help

 

Regards

Gerd Windisch    

 

 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe