This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm investigating some page timeout issues in a live system. The root problem is a link between Atlassian's Confluence and Jira; pages in the former time out when embedding content from the latter. This data exchange is primarily JSON and XML over HTTP; a typical single page load might result in 50-70 HTTP requests. Both systems are behind an apache proxy.

At the moment, I don't have the luxury of testing this in isolation and I can't replicate it in the lab setup, so I'm running tshark captures between the proxy to the live JIRA system. So far so good; I can use the TCP stats to get the session times and see some requests taking far too long to process, but I can't be sure which are as a result of the specific page load I triggered.

There's a unique cookie that should identify a given session's requests. What I'd like is a filter that shows me the entire TCP session traffic where that specific cookie somewhere in the payload. Is that possible within Wireshark?

asked 02 Oct '13, 04:03

TerryD's gravatar image

TerryD
6113
accept rate: 0%

Maybe I don't quite understand the subtlety of your question...but it sounds like you simply want to isolate a specific TCP connection given a segment with a specific string. If that's the case, there are plenty of ways to do that. What I would do personally is search for the packet containing the cookie. Once you find it, expand the TCP header and look at the value of [Stream Index] - this is Wireshark's way of labeling each unique TCP session. Take that value, and use it as a filter. For example of the stream number is 416, you would use this simple display filter:

tcp.stream == 416

There are other ways to do this, such right-click on the packet containing the cookie value, and select Conversation Filter -> TCP or simply "Follow TCP Stream". But I find the TCP stream number so useful, I have added a custom column to my preferences so I am always aware of it.

(02 Oct '13, 05:37) smp

Hi smp. That's the start of what I'm looking to do. I can use Statistics->Conversation List->TCP to get a list and duration of every TCP session with the capture and I can ,usefully, isolate individual streams. However, what I can't do is isolate all of the streams related to a particular page load.

Every one of those streams will have an HTTP GET request in there and each of those requests will share a single, unique cookie. If Wirehark had a plain english parser, I'd say "Show me all of the full TCP streams that contain HTTP requests with 'SESSIONID=xyz' in the request header". That's the best way I can phrase it.

(02 Oct '13, 08:03) TerryD

Oh, that clarifies it perfectly, and it's a great question. Unfortunately, I don't know the answer so I'm going to sit back and watch for a more knowledgeable response. Sorry I couldn't help further.

(02 Oct '13, 08:10) smp

If you look at the SharkFest'11 session on command line scripting from @SYN-bit here, Example 3 (slide 42) Sake shows you to find all sessions with a specific http cookie.

I did a PowerShell version of this at SharkFest'12, the session is here, and you should look around page 30 for the section "All sessions with cookie xxxx".

permanent link

answered 02 Oct '13, 09:41

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks! Not only does that answer my question perfectly, but it's introduced me to whole new source of wizardry. (Using tshark to generate a filter for tshark. The mind boggles...)

(07 Oct '13, 01:35) TerryD
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×293
×33

question asked: 02 Oct '13, 04:03

question was seen: 11,254 times

last updated: 07 Oct '13, 01:35

p​o​w​e​r​e​d by O​S​Q​A