This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

In the same way "Follow TCP Stream" joins packets for easier analysis.

Is there a way to follow HTTP redirects without doing it manually?

alt text

asked 01 Dec '13, 11:31

elgalu's gravatar image

elgalu
21227
accept rate: 0%

edited 01 Dec '13, 11:32


Is there a way to follow HTTP redirects without doing it manually?

Wireshark does not provide that functionality and it would be hard to implement for several reasons (see also the comment of @Guy Harris).

In some cases you will see the redirect and the following request in the same TCP connection, if the client uses HTTP/1.1 and it reuses the same connection to the same server. However, as shown in your example, there can also be redirects to a different host (request: rubygems.org, redirect: production.s3.rubygems.org), hence the client must use a different TCP connection.

What you can do is to support the manual process as much as possible, with the features/tools Wireshark provides (and/or tshark)

  1. Add some columns to show the following values: tcp.stream, http.location and http.request.full_uri
  2. Apply the following display filter: http.response.code == 302 or http.response.code == 301 or http.request

The whole thing will look like the following screenshot

alt text

The filtered frames will show the redirect and (in most cases) directly following the request to the redirected page. If there is a lot of traffic, you could further filter the requests, based on client IP (ip.addr) and User-Agent header (http.user_agent).

Then simply take the TCP stream values and build your next filter:

tcp.stream eq 2 or tcp.stream eq 3

Unfortunately you still can't 'follow' both streams at once, but at least you will be able to do the manual analysis a bit faster ;-))

You can to the same thing with tshark and some scripting!

As an alternative, you could write a Listener/Tap (in C or Lua) and filter things there, but that's quite some work to do, and probably not worth the time, if you don't have to follow hundreds of redirects per day.

http://wiki.wireshark.org/Lua/Taps

Regards
Kurt

permanent link

answered 02 Dec '13, 13:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 02 Dec '13, 13:52

Wireshark does not provide that functionality.

...because it's a network analyzer, not a Web browser or other Web client. It shows you what happened on the network, and if the program that sent the request that got the redirect didn't follow the redirect, then following-the-redirect didn't happen on the network.

(02 Dec '13, 13:49) Guy Harris ♦♦

Very helpful and detailed small guide! Thanks!!!

(02 Dec '13, 14:55) elgalu
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×293
×1

question asked: 01 Dec '13, 11:31

question was seen: 22,557 times

last updated: 02 Dec '13, 14:55

p​o​w​e​r​e​d by O​S​Q​A