i'm trying to filter out the ip, the method(GET and POST), and then http data that contains a specific string. The filter looks like this: http.request.method == "GET" && http.request.method == "POST" && ip.src == 10.1.5.8 && http contains "facebook" I want to filter the data as specified by the filter, but it don't work. If I use || instead of &&, it works, other IPs are also shown, which is wrong. The only IP that should be listed is 10.1.5.8 asked 31 Mar '14, 08:21  brajzore |
One Answer:
The method can either be "GET" or "POST", but you're filtering using "and". Also, you need to put brackets in the right places to force the IP address being part of the transaction. Try answered 31 Mar '14, 08:34  Jasper ♦♦ edited 31 Mar '14, 08:35 |
But I want to show both GET and POST data in the list? Or should I not do this? Can u explain? :)
Thank you for your answer.
With that filter, you will. "OR" in this case means "give me any HTTP request that contains GET or POST", in a boolean way - which means that if any of the two is found it will pass the filter. If you only want one of them you just specify that one, without the other.
Asking for "GET and POST" doesn't make any since, because it means "give me all requests that are GET and POST at the same time", which can never happen - it can only be one or the other.
Okey. Thank you. So if I want the post and the get data, and the ips and the websites that the users have been visited, i should write like this:
(http.request.method == "GET" or http.request.method == "POST") and (ip.src == 10.1.5.8 or ip.src == 10.1.5.2 or ip.src == 10.1.5.3 or ip.src == 10.1.5.4 or ip.src == 10.1.5.5 or ip.src == 10.1.5.7) and (http contains "facebook" or http contains "reddit")
yes, you could do something like that. Just try things out, I think you're on the right track.