This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Not capturing POST requests

0

Hi - relative Wireshark noob, but experienced computer scientist.

I'm managing a large wireless network and have set Wireshark to capture all packets. After capturing approximately 1 million across a wide variety of users, our security team wanted to check HTTP POST requests.

Using the filter: http.request.method == "POST"

yielded ZERO results. Now, I am 100% certain that there were POST requests (I issued them personally from non-HTTPS). I was able to find the corresponding GET for each missing POST.

So, any ideas why I would be seeing absolutely no POST requests? Again, I'm new with Wireshark, but I do know that the POST requests were issued.

Thanks for the help.

-TB

asked 26 Jan '15, 11:57

trollerboy's gravatar image

trollerboy
6112
accept rate: 0%


One Answer:

2

Well, if you find "GET" requests for each location where you think there should be a "POST" you have found your problem (if there should be "POST"s instead) - because in HTTP, there is either "GET" or "POST" (or other request types). There is no "GET for POST" mechanism (maybe I misread your statement, but it looked to me this either/or may not be clear).

Are you sure there must be "POST" requests? You should see that request type as form tag action parameter, otherwise they're all "GET".

How did you "issue" your "POST" requests? You can only create them with form actions, or when using a tool like Fiddler, which can force that kind of request type. Using bookmarks, reloading pages, using links etc. are all "GET".

answered 26 Jan '15, 12:18

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 26 Jan '15, 12:19

Thanks for the reply, Jasper.

I used a post testing site (posttestserver.com) using the full URI as below:

http://posttestserver.com/post.php?dump&html&dir=henry&status_code=202&sleep=2

While I follow your train of thought, I think it is highly unlikely that after capturing over 1 million packets from across 40 simultaneous users, that I would get no POST requests to show.

I welcome and value your continued insight.

-TB

(26 Jan '15, 12:41) trollerboy

It can happen if nobody fills out a form. My guess is that over 99% of all http requests are "GET" requests.

If you called that URL in a browser it will result in a "GET" request. Just calling your PHP script "post" does not make it a "POST" action. You need to put a form in it, with a "POST" action.

I created a test page for you with a "POST" form here:

http://www.packet-foo.com/test/index.htm

Try running Wireshark while using the button. You should see a POST request.

(26 Jan '15, 12:52) Jasper ♦♦

Sure enough - you were correct! Thanks so much for making that little test page. It was exactly what I needed. You are a scholar and a gentleman.

Best regards,

-TB

(26 Jan '15, 15:17) trollerboy

You're welcome, and thank you. You might want to accept my answer with the green check mark button next to it on the left to mark it accordingly for others to find.

(26 Jan '15, 15:23) Jasper ♦♦