I would like to learn, how to filter multiple whole TCP streams based on inner protocol condition, e.g. HTTP header values.
E.g. I have a capture from a proxy with lot of users, and I want to see only TCP streams which are connecting to www.google.com. The point here is to see the whole TCP stream, not only the frames containing HTTP header with "Host: www.google.com"
Of course, I can always use "http.host==www.google.com", extract the TCP stream number, and rewrite the filter to "tcp.stream==X". However, this starts to be a annoying problem, if I have tens or hundreds of connections. It takes lot of time and is not flexible.
In an object language, I would write something like
Thanks in advance!!!
asked 22 Nov '12, 07:48
Sad enough conditional filtering is not working in wireshark. What you CAN do to accomplish those tasks where you want to filter based on another filter is to use tshark scripting to do the following:
` This gives you a list of the stream indexes that match your filter. After that with the use of cli tools like sort,uniq,sed etc. you can in a second step (or all in one) produce a long display filter containing all "or-ed" tcp.stream values you are looking for.
answered 22 Nov '12, 08:06
You could probably achieve what you want with MATE.
answered 26 Nov '12, 12:00