Hi, I used these 3 filters to count http packet numbers: For Http packets: "port http" For Http request packets: "tcp dst port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" For Http response packets: "tcp src port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" And with this file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=http.cap I got this result: Http pkt count= 479 Http req count= 1 Http res count= 168 The question is: How come req + res != total? What are those 310 packets? Thanks asked 17 Jun '14, 00:03  abd edited 17 Jun '14, 00:04 |
One Answer:
Those 310 packets, are probably those that you filtered 'away' with the following term
as that the difference between 'port http' which is equivalent to
So, if you filter for (in the first step)
you should get the same results. Regards answered 17 Jun '14, 07:52  Kurt Knochner ♦ Thanks. Well, there is something that I didn't know about http. There are many packets in response of a request, that don't have Application Layer Header. They're probably the continuation of a response packet(with Application Layer Header) which didn't finished in the response packet itself. So, my stats is actually true. HTTP != Req pkts + Res pkts. Thanks you sooo much for leading me to understand this. Thanks (17 Jun '14, 21:09) abd Good. Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up). (18 Jun '14, 09:48) Kurt Knochner ♦ |
I think those other 310 packets are "continuation or non-http traffic packet" when you enable "Reassemble HTTP Headers spanning multiple TCP Segment" in http preferences, it will disappear.