This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to get all of the http sessions related to one web page?

0

how to get all of the http session related to one web page? Dear , When I load one web-page, it generates many http sessions (like get/response..), and it's difficult to get all of the http packets related to one web page. Do you have some ideas?

asked 18 Jul '12, 05:32

chinasan's gravatar image

chinasan
0668
accept rate: 0%

edited 28 Sep '12, 05:47

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


One Answer:

1

how to get all of the htttp session related to one web page?

Unfortunately that's not easy as HTTP is a stateless protocol and there is no way to relate several HTTP requests with one "web page" (what you see in the browser).

Take a look at http://www.nbc.com There is a lot of content from other pages (adclick, twitter, etc.) linked into that page. Your browser first loads the main page (www.nbc.com) and then follows all links in the HTML document. So, for the browser it is easy to get it all together.

Wireshark however captures only single (unrelated) requests and responses. So, it's hard to figure out if a request belongs to one page or another (if it's the same server)

Imagine you load two different pages on the same webserver in parallel (two browser windows). The browsers knwo what they requested and what to show. Wireshark sees only requests and responses from the same IP addresses and cannot distinguish if they came from one browser window or the other. So it's nearly impossible to get all "sessions related to one page".

So, what can you do:

  • Filter on the IP address of the target server (ip.addr eq x.x.x.x). This will at least give you all requests and responses from one server. However, these could be from different pages ("sessions") on the server (see two browser sample above)
  • Try to find a SESSIONID in the first request (a Cookie, JSESSIONID, PHPSESSIONID) and try to filter on that
  • Write your own TAP that does a more thorough HTTP inspection. Then you can parse the HTML code and figure out all links in the page. Then, if you see a request to one of those links within a short period of time it's kind of likely that these requests belong to the same "session", although there is no guarantee.

Regards
Kurt

answered 18 Jul '12, 06:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 Jul '12, 07:05

I see that you awarded one (your only) karma point to Kurt, that's a great gesture. However, the best way to award someone for providing you with a useful answer is to click on the thumps-up. That will give the person 15 karma points. On top of that you can "accept" the answer that answered your question best by clicking on the "Checkmark" under the thumps-up/down. This will add another 25 karma points to the person that gave the answer.

(28 Sep '12, 01:36) SYN-bit ♦♦