This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Follow HTTP redirects automatically (HTTP status codes 301/302)

0

In the same way "Follow TCP Stream" joins packets for easier analysis.

Is there a way to follow HTTP redirects without doing it manually?

alt text

asked 01 Dec '13, 11:31

elgalu's gravatar image

elgalu
21227
accept rate: 0%

edited 01 Dec '13, 11:32


One Answer:

1

Is there a way to follow HTTP redirects without doing it manually?

Wireshark does not provide that functionality and it would be hard to implement for several reasons (see also the comment of @Guy Harris).

In some cases you will see the redirect and the following request in the same TCP connection, if the client uses HTTP/1.1 and it reuses the same connection to the same server. However, as shown in your example, there can also be redirects to a different host (request: rubygems.org, redirect: production.s3.rubygems.org), hence the client must use a different TCP connection.

What you can do is to support the manual process as much as possible, with the features/tools Wireshark provides (and/or tshark)

  1. Add some columns to show the following values: tcp.stream, http.location and http.request.full_uri
  2. Apply the following display filter: http.response.code == 302 or http.response.code == 301 or http.request

The whole thing will look like the following screenshot

alt text

The filtered frames will show the redirect and (in most cases) directly following the request to the redirected page. If there is a lot of traffic, you could further filter the requests, based on client IP (ip.addr) and User-Agent header (http.user_agent).

Then simply take the TCP stream values and build your next filter:

tcp.stream eq 2 or tcp.stream eq 3

Unfortunately you still can't 'follow' both streams at once, but at least you will be able to do the manual analysis a bit faster ;-))

You can to the same thing with tshark and some scripting!

As an alternative, you could write a Listener/Tap (in C or Lua) and filter things there, but that's quite some work to do, and probably not worth the time, if you don't have to follow hundreds of redirects per day.

http://wiki.wireshark.org/Lua/Taps

Regards
Kurt

answered 02 Dec '13, 13:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 02 Dec '13, 13:52

Wireshark does not provide that functionality.

...because it's a network analyzer, not a Web browser or other Web client. It shows you what happened on the network, and if the program that sent the request that got the redirect didn't follow the redirect, then following-the-redirect didn't happen on the network.

(02 Dec '13, 13:49) Guy Harris ♦♦

Very helpful and detailed small guide! Thanks!!!

(02 Dec '13, 14:55) elgalu