filter the response to a matched HTTP request

Question

I'm trying to get wireshark to only capture requests that I'm sending to wildfly via my test suite, I've gotten everything filtered but the responses to the http request contains.

(tcp.dstport == 8080 || tcp.srcport == 8080 ) && http && ! http.request.uri contains "/test/"

not sure what I need to look at to get it to match only the responses to the requests that contained test.

Answer 1

not sure what I need to look at to get it to match only the responses to the requests that contained test.

you can do this:

Filter for the request: http.request.uri contains "/test"
Get the TCP stream number(s) of those frames (tcp.stream)
Then filter for: tcp.stream eq xxx and frame contains "HTTP/1.1 200 OK" (or HTTP/1.0)

You can automate that with tshark and some scripting.

tshark -nr input.pcap -R 'http.request.uri contains "/test"' -T fields -e tcp.stream
Read the tcp streams with a script and create new filters based on them
tshark -nr input.pcap -R 'tcp.stream eq xxx and frame contains "HTTP/1.1 200 OK"'

See also my answer to a similar question

http://ask.wireshark.org/questions/27616/follow-http-redirects-automatically-http-status-codes-301302

Regards
Kurt

Answer 2

I don't think that that is possible with just one single filter, because the answer packet does not contain the request (unlike in DNS answers, for example).

Wireshark can only filter on some packets depending on other packets if the dissector transfers the relevant details to the answer packet. An example for that would be the "http.request_in" which can be used to find packets that are a response to another packet, but that packet has to be specified by number. You can't use a uri filter for this.

Answer 3

This is the kind of thing MATE is good for.

Unfortunately it's not documented very well and can be tricky to use, but it is almost certainly possible to do what you want with it...