Hi guys, I would like to learn, how to filter multiple whole TCP streams based on inner protocol condition, e.g. HTTP header values. E.g. I have a capture from a proxy with lot of users, and I want to see only TCP streams which are connecting to www.google.com. The point here is to see the whole TCP stream, not only the frames containing HTTP header with "Host: www.google.com" Of course, I can always use "http.host==www.google.com", extract the TCP stream number, and rewrite the filter to "tcp.stream==X". However, this starts to be a annoying problem, if I have tens or hundreds of connections. It takes lot of time and is not flexible. In an object language, I would write something like tcp.stream==(http.host==www.google.com).tcp.stream Thanks in advance!!! Jozef asked 22 Nov '12, 07:48  Jozef |
2 Answers:
Sad enough conditional filtering is not working in wireshark. What you CAN do to accomplish those tasks where you want to filter based on another filter is to use tshark scripting to do the following: ` This gives you a list of the stream indexes that match your filter. After that with the use of cli tools like sort,uniq,sed etc. you can in a second step (or all in one) produce a long display filter containing all "or-ed" tcp.stream values you are looking for. e.g.
answered 22 Nov '12, 08:06  Landi |
You could probably achieve what you want with MATE. answered 26 Nov '12, 12:00  JeffMorriss ♦ |
Hi Landi,
Thanks. Currently I'm doing it in a very similar way: I use http.host==www.google.com filter, export packet dissections to a text file, and as you said, using grep, awk and sed I prepare a long or-ed list. Not that elegant as with your tshark, however.
Anyway, tshark can save me a minute or so, however it still cuts my thoughts when I'm trying to focus on investigating a problem and I often lose concentration while playing with those filters. I would prefer something quicker. But thanks anyway. Maybe in newer versions there will be conditional filtering or some other sort of backreference.
Thank you.
Jozef