This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter From field in HTTP header?

Hi, I want to filter "From: " field in HTTP header of a packet but it seems wireshark doesn't understands that field. I am using wireshark verison 1.6.8.

What should be done to resolve this issue? Is there any newer version which supports this field?

Thanks, Ravi

http

asked 11 Jun '12, 08:40

RAVI_TANDON
10●4●4●7
accept rate: 0%

2 Answers:

According to RFC2616 From: is a request header field.

This works on my system:

http.request and http contains "From: "

HOWEVER, this will only filter those requests with that string somewhere in the request. If you want to get the content of the field, there are these options:

run tshark with these options and parse the output with a script (find is just a simple example):

tshark -r http_from_sample.cap -R "http.request and http contains From:" -V | find "From:"

Write a Lua Listener or Post-Dissector
Extend the HTTP dissector to offer http.from or http.request_header.from

Regards
Kurt

answered 11 Jun '12, 09:03

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 11 Jun '12, 09:45

Thanks Kurt.

I tried both the options but I am getting nothing in output. Can you suggest any other option? or writing a dissector is the last option.

Regards, Ravi

(11 Jun '12, 09:23) RAVI_TANDON

maybe there is no From: header in your data. Please try my sample capture.

http://cloudshark.org/captures/132afd675db4

See frame #4. My filter works even on cloudshark.

(11 Jun '12, 09:30) Kurt Knochner ♦

Yeah...its indeed working on your sample capture. But its not working on my capture at:

http://cloudshark.org/captures/479d04160629

It will be really helpful if you can comment that why its not working on my capture?

Thanks, Ravi

(11 Jun '12, 11:28) RAVI_TANDON

Dissection of your GPRS-Tunneled data stops at the TCP level, so there are no HTTP fields available.

(11 Jun '12, 12:45) Kurt Knochner ♦

But you know, its dissected when there is no From field in the HTTP packet inside TCP. You can check the same at

http://cloudshark.org/captures/c7e25f2d51b5

So, is there any way that wireshark also decodes it after it gets the From field.

Thanks, Ravi

(11 Jun '12, 13:13) RAVI_TANDON

There is a problem with the request. http1.cap does not end with a single CRLF (0x0d0a). Actually it's two CRLF. One for the last request header and one for an "empty line". The HTTP RFC defines this as a marker for the end of the request headers. Wireshark does not accept that as a valid HTTP request. I changed the last few bytes with a HEX editor and now the HTTP request gets dissected. Please check your GPRS encapsulation or the tool that generates the HTTP request.

(11 Jun '12, 14:13) Kurt Knochner ♦

Yeah....you are right, I wasn't able to figure it out that problem is with the packet and not wireshark, thanks a lot for helping me out.

Regards, Ravi

(11 Jun '12, 14:47) RAVI_TANDON

showing 5 of 7 show 2 more comments

Wireshark allows configuring the HTTP dissector to parse custom header fields, allowing you to access the header field with display-filter syntax:

http.header.From

This requires no code modification or scripting. Follow the instructions from a similar post.

answered 11 Jun '12, 10:18

helloworld
3.1k●4●20●41
accept rate: 28%

Nice. I must admit, I have never used that feature.

(11 Jun '12, 11:49) Kurt Knochner ♦

Thanks, its really a cool feature.

(11 Jun '12, 15:00) RAVI_TANDON