This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HTTP requests without cookies

0

We have an apparent problem in that some requests to our IIS server do not have cookies. We actually have an ISAPI filter that is reporting the problem but we would like an independent verification: (a) how do we set up a filter in Wireshark that shows the http requests that do NOT have cookies [ignoring those that do]. (b) how to we set up a filter that shows HTTP traffic with cookies that exceed a certain size

Thanks

asked 31 Jan '11, 16:02

Julian%20Dohmen's gravatar image

Julian Dohmen
1111
accept rate: 0%


2 Answers:

1

(a) http.request.method and not http.cookie

(b) not sure how to do this, there doesn't seem to be a good way to filter for this, but maybe somebody else has a good idea

answered 31 Jan '11, 16:45

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 31 Jan '11, 17:07

Thanks! I am pretty new to Wireshark - I see that the filter above is a Display Filter which I am trying out [and I did use the word show of course] but is there a capture filter that would only allow cookie-less http requests through? Thanks

(01 Feb '11, 06:28) Julian Dohmen

I'm not sure if this is possible, maybe through some very advanced offset matching filters, but that is beyond my experience as I rarely use capture filters at all (and when I do I usually filter on nothing more than MAC or IP addresses). Maybe somebody else has a solution for you.

(01 Feb '11, 06:49) Jasper ♦♦

Thanks - we can probably use your display filter as the main thing is to see items without cookies.

(01 Feb '11, 11:29) Julian Dohmen

0

Capture HTTP GET requests:
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

You can find this and other capture filter examples in the Wireshark Wiki.

answered 01 Feb '11, 21:13

joke's gravatar image

joke
1.3k4934
accept rate: 9%