Recently I published a batch file, dumpcap.bat
on http://wiki.wireshark.org/Tools, which might help you if you're running on the Windows platform. Since the batch file currently only supports dumpcap
and thus only capture filters and not Wireshark display filters, it would only be practical to use if the HTTP response codes always appear at the same offset in the TCP payload. That might be true for all 404's, but it's probably not going to be true for every error code greater than or equal to 400.
In case you want to look at it, the following might help you get started - modify settings as needed:
1. Dumpcap runtime priority: NORMAL 2. Dumpcap Mode: Dumpcap+Event ------------------------------[ DUMPCAP OPTIONS ]------------------------------ 3. Interface: TBD 4. Capture file: http404.pcapng 5. Capture filter: tcp port 80 6. Snaplen Use default value 7. Promiscuous mode? Y 8. Buffer size Use default value 9. Use pcapng format? Y Autostop conditions: 10. Stop after <
infinite>
packets 11. Stop after <
infinite>
seconds 12. Stop after <
infinite>
kB 13. Stop after <
infinite>
files Ringbuffer settings: 14. Switch files after: 600 seconds 15. Switch files after <
infinite>
kB 16. Ringbuffer max files 2 files ---------------------------[ CAPTURE EVENT OPTIONS ]--------------------------- 17. Event Interface TBD 18. Event capture filter tcp port 80 and tcp[29] = 0x34 and tcp[30] = 0x30 and tcp[31] = 0x34 19. Event count 1 20. Event kills dumpcap? Y 21. Delay before kill/action 0 seconds
You can also enable the mailsend
feature if you'd like an e-mail notification of when the event occurs.
I know this isn't as easy as being able to specify a tshark
display filter of "http.response.code >= 400"
, but it might be better than nothing.
answered 04 Feb '15, 07:43
cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%