This is our old Q&A Site. Please post any new questions and answers at

I'm making a very minimalistic wireshark profile, so someone without much technical knowledge can get a quick overview of http and ssl/tls traffic ("non-technical" information).


Right now I have the following columns;

No. | Protocol | http.referer | | Info | ssl.handshake.extensions_server_name | http.request.full_uri

My question is, does the last filter (http.request.full_uri) always show the host that is also displayed with the filter?

Or is/can there be a difference between: "" and "http.request.full_uri"? Otherwise I can just use the full_uri filter without the separate host filter.


Is the filter "ssl.handshake.extensions_server_name" the only one that shows some 'understandable' information about encrypted traffic? And what exactly is the role of this server name and why is this not encrypted?

Any other ideas about filters that show this "low-level" information is also appreciated.

Thanks! Danny

asked 12 Jul '16, 07:12

r00t070's gravatar image

accept rate: 0%

edited 12 Jul '16, 08:14

The http.request.full_uri field is the field concatenated with the http.request.uri field, so yes, http.request.full_uri will always show the same host as the field.

permanent link

answered 12 Jul '16, 22:34

Jim%20Aragon's gravatar image

Jim Aragon
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 12 Jul '16, 07:12

question was seen: 9,482 times

last updated: 12 Jul '16, 22:34

p​o​w​e​r​e​d by O​S​Q​A