This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter out HTTP transactions involving resource files

0

I have a pcap with many HTTP transactions. I can list all the HTTP requests by using "http.request" as the filter. However, they are lots of HTTP transactions for .js, .css, .gif, .jpg, .png files. Wonder if it is possible to filter them out, those resource files make it harder for me to search for transactions I am interested in.

asked 29 Jul '15, 09:28

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

One Answer:

1

You can try to combine it with the "http.request.full_uri" filter with the MATCHES operator. So it is possible to specify a filter with regular expressions.

answered 29 Jul '15, 09:41

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

Thanks @cristian_r for the idea. It's an good one. In my case, some http uri may look like xxxxxx.gif?p=12483933434. Do you have any example filters to catch that case as well as the simpler case (the url ends with DOT <extension>)?

(29 Jul '15, 13:12) pktUser1001

You mean something like that:

http.request and !((http.request.full_uri matches "http://.*\.gif.*") or (http.request.full_uri matches "http://.*\.xml.*"))
(29 Jul '15, 14:50) Christian_R

If the answer provided solve your problem, could you accept the solution as answered (check mark below the thumbs-up and thumbs-down). This will help others in the future.

Thank you.

(30 Jul '15, 12:32) Christian_R

Sorry for the late reply, didn't get a notification. It works in most cases (edge cases do exist: xyz.giff). There are many extensions for resources, so the expression will be quite long. I will accept this answer though. Thanks.

(04 Aug '15, 15:04) pktUser1001