This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter the whole TCP streams based on inner protocol condition

0

Hi guys,

I would like to learn, how to filter multiple whole TCP streams based on inner protocol condition, e.g. HTTP header values.

E.g. I have a capture from a proxy with lot of users, and I want to see only TCP streams which are connecting to www.google.com. The point here is to see the whole TCP stream, not only the frames containing HTTP header with "Host: www.google.com"

Of course, I can always use "http.host==www.google.com", extract the TCP stream number, and rewrite the filter to "tcp.stream==X". However, this starts to be a annoying problem, if I have tens or hundreds of connections. It takes lot of time and is not flexible.

In an object language, I would write something like

tcp.stream==(http.host==www.google.com).tcp.stream

Thanks in advance!!!

Jozef

asked 22 Nov '12, 07:48

Jozef's gravatar image

Jozef
1111
accept rate: 0%


2 Answers:

1

Sad enough conditional filtering is not working in wireshark. What you CAN do to accomplish those tasks where you want to filter based on another filter is to use tshark scripting to do the following:

tshark -r trace.pcap -R "http.host==www.google.com" -n -Tfields -e tcp.stream

` This gives you a list of the stream indexes that match your filter. After that with the use of cli tools like sort,uniq,sed etc. you can in a second step (or all in one) produce a long display filter containing all "or-ed" tcp.stream values you are looking for.

e.g.

tshark -r trace.pcap -R "http.host==www.google.com" -n -Tfields -e tcp.stream | sort -un | sed ':a;N;$!ba;s/\n/ or tcp.stream==/g'

answered 22 Nov '12, 08:06

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

Hi Landi,

Thanks. Currently I'm doing it in a very similar way: I use http.host==www.google.com filter, export packet dissections to a text file, and as you said, using grep, awk and sed I prepare a long or-ed list. Not that elegant as with your tshark, however.

Anyway, tshark can save me a minute or so, however it still cuts my thoughts when I'm trying to focus on investigating a problem and I often lose concentration while playing with those filters. I would prefer something quicker. But thanks anyway. Maybe in newer versions there will be conditional filtering or some other sort of backreference.

Thank you.

Jozef

(22 Nov '12, 13:39) Jozef

0

You could probably achieve what you want with MATE.

answered 26 Nov '12, 12:00

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%