Hi - relative Wireshark noob, but experienced computer scientist. I'm managing a large wireless network and have set Wireshark to capture all packets. After capturing approximately 1 million across a wide variety of users, our security team wanted to check HTTP POST requests. Using the filter: http.request.method == "POST" yielded ZERO results. Now, I am 100% certain that there were POST requests (I issued them personally from non-HTTPS). I was able to find the corresponding GET for each missing POST. So, any ideas why I would be seeing absolutely no POST requests? Again, I'm new with Wireshark, but I do know that the POST requests were issued. Thanks for the help. -TB asked 26 Jan '15, 11:57  trollerboy |
One Answer:
Well, if you find "GET" requests for each location where you think there should be a "POST" you have found your problem (if there should be "POST"s instead) - because in HTTP, there is either "GET" or "POST" (or other request types). There is no "GET for POST" mechanism (maybe I misread your statement, but it looked to me this either/or may not be clear). Are you sure there must be "POST" requests? You should see that request type as form tag action parameter, otherwise they're all "GET". How did you "issue" your "POST" requests? You can only create them with form actions, or when using a tool like Fiddler, which can force that kind of request type. Using bookmarks, reloading pages, using links etc. are all "GET". answered 26 Jan '15, 12:18  Jasper ♦♦ edited 26 Jan '15, 12:19 |
Thanks for the reply, Jasper.
I used a post testing site (posttestserver.com) using the full URI as below:
http://posttestserver.com/post.php?dump&html&dir=henry&status_code=202&sleep=2
While I follow your train of thought, I think it is highly unlikely that after capturing over 1 million packets from across 40 simultaneous users, that I would get no POST requests to show.
I welcome and value your continued insight.
-TB
It can happen if nobody fills out a form. My guess is that over 99% of all http requests are "GET" requests.
If you called that URL in a browser it will result in a "GET" request. Just calling your PHP script "post" does not make it a "POST" action. You need to put a form in it, with a "POST" action.
I created a test page for you with a "POST" form here:
http://www.packet-foo.com/test/index.htm
Try running Wireshark while using the button. You should see a POST request.
Sure enough - you were correct! Thanks so much for making that little test page. It was exactly what I needed. You are a scholar and a gentleman.
Best regards,
-TB
You're welcome, and thank you. You might want to accept my answer with the green check mark button next to it on the left to mark it accordingly for others to find.