This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“http.host” and “http.request.full_uri” filter

0

I'm making a very minimalistic wireshark profile, so someone without much technical knowledge can get a quick overview of http and ssl/tls traffic ("non-technical" information).

QUESTION 1

Right now I have the following columns;

No. | Protocol | http.referer | http.host | Info | ssl.handshake.extensions_server_name | http.request.full_uri

My question is, does the last filter (http.request.full_uri) always show the host that is also displayed with the http.host filter?

Or is/can there be a difference between: "http.host" and "http.request.full_uri"? Otherwise I can just use the full_uri filter without the separate host filter.

QUESTION 2

Is the filter "ssl.handshake.extensions_server_name" the only one that shows some 'understandable' information about encrypted traffic? And what exactly is the role of this server name and why is this not encrypted?

Any other ideas about filters that show this "low-level" information is also appreciated.

Thanks! Danny

asked 12 Jul '16, 07:12

r00t070's gravatar image

r00t070
6437
accept rate: 0%

edited 12 Jul '16, 08:14


One Answer:

1

The http.request.full_uri field is the http.host field concatenated with the http.request.uri field, so yes, http.request.full_uri will always show the same host as the http.host field.

answered 12 Jul '16, 22:34

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%