This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter only Http.cookie before starting

0

Hello How i can filter only Http.cookie before starting capture?

when i use http filter i dont get any packets, but when i dont choose any filter i get all packets, !

i know that i can use http.cookie filter when capturing, but is there anyway to only capture http.cookie from all sites??

thanks

asked 17 Aug '13, 13:03

itboys's gravatar image

itboys
11225
accept rate: 0%


2 Answers:

0

You can't create a capture filter that looks for a specific cookie, as that filter would need to loop through the http headers to find the line cookie header. Capture filters use BPF and are executed in the kernel, that's why a jump backwards (needed for the loop) is not allowed to prevent an infinite loop in the kernel.

What you can do is filter on port 80 during capturing and the filter for the cookie when analyzing the data.

answered 17 Aug '13, 15:32

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

but is there anyway to only capture http.cookie from all sites??

No, it is not possible to capture only HTTP cookies (see the answer of @SYN-bit).

However, if you just need the Cookie names and the values, you can use ngrep on several Unix systems (Linux, etc.) and even on Windows.

ngrep -d eth0 -W byline 'Cookie:' port 80 | egrep '(Cookie:|->)'

This will look for the string "Cookie:" (the HTTP header) on all HTTP connections (port 80). The output looks like this (several cookies in use at the sample page).

T 192.168.158.134:60806 -> 108.162.204.234:80 [AP]
Cookie: __utma=87653150.584013553.1368057495.1368057495.1368057495.1; __utmz=87653150.1368057495.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __cfduid=d5de20eee1f1e5a337360768a92d829051373446194; csrftoken=0d7650a7e762b88664d2b9cdd7c4197f; __utma=46672567.888537486.1372378054.1375087941.1376861294.3; __utmz=46672567.1372378054.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); sessionid=a19b0f1adf49cf486e45696a742b0c38; greeting_set=True; __utmb=46672567.6.10.1376861294; __utmc=46672567.

Then pipe that output into a script and extract whatever you need.

Optionally, you can write the matched packets to a file and then analyze that file with wireshark/tshark.

ngrep -d eth0 -O /var/tmp/cookies.pcap 'Cookie:' port 80

Regards
Kurt

answered 18 Aug '13, 14:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 Aug '13, 15:08