This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter the response to a matched HTTP request

2

I'm trying to get wireshark to only capture requests that I'm sending to wildfly via my test suite, I've gotten everything filtered but the responses to the http request contains.

(tcp.dstport == 8080 || tcp.srcport == 8080 ) && http && ! http.request.uri contains "/test/"

not sure what I need to look at to get it to match only the responses to the requests that contained test.

asked 19 Mar '14, 13:44

xenoterracide's gravatar image

xenoterracide
41114
accept rate: 0%


3 Answers:

2

not sure what I need to look at to get it to match only the responses to the requests that contained test.

you can do this:

  1. Filter for the request: http.request.uri contains "/test"
  2. Get the TCP stream number(s) of those frames (tcp.stream)
  3. Then filter for: tcp.stream eq xxx and frame contains "HTTP/1.1 200 OK" (or HTTP/1.0)

You can automate that with tshark and some scripting.

  1. tshark -nr input.pcap -R 'http.request.uri contains "/test"' -T fields -e tcp.stream
  2. Read the tcp streams with a script and create new filters based on them
  3. tshark -nr input.pcap -R 'tcp.stream eq xxx and frame contains "HTTP/1.1 200 OK"'

See also my answer to a similar question

http://ask.wireshark.org/questions/27616/follow-http-redirects-automatically-http-status-codes-301302

Regards
Kurt

answered 20 Mar '14, 12:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 20 Mar '14, 12:10

1

I don't think that that is possible with just one single filter, because the answer packet does not contain the request (unlike in DNS answers, for example).

Wireshark can only filter on some packets depending on other packets if the dissector transfers the relevant details to the answer packet. An example for that would be the "http.request_in" which can be used to find packets that are a response to another packet, but that packet has to be specified by number. You can't use a uri filter for this.

answered 19 Mar '14, 14:09

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

This is the kind of thing MATE is good for.

Unfortunately it's not documented very well and can be tricky to use, but it is almost certainly possible to do what you want with it...

answered 20 Mar '14, 10:17

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%