In a not-so-common case, I need to catch http transactions where the response body length is between, say, 500 and 600. Is there a way to filter this? Thanks. asked 08 May '15, 15:38  pktUser1001 |
One Answer:
If you mean with body length the content length then this filter should work: (http.response) && (http.content_length >10445 ) && (http.content_length < 13000) answered 08 May '15, 16:13  Christian_R |
"Catch" here meaning "after you've captured the traffic, find the HTTP responses in it with a length within a given range". It doesn't mean "when capturing the traffic, only capture those responses; that's not supported (and would be extremely difficult, if it's possible at all).
Thanks Guy for the clarification. Agree that a "capture" filter that can do this would be much harder than display filter that Christian_R reminded me. I was looking for the display filter like http.body_len, didn't find it (of course!).
It might be worth it to extend the filter mechanism to have a function that evaluates to the number of bytes in a field.