What filter can I use to obtain the streams associated to the objects that are listed when doing the following in Wireshark? - File/Export/Objects/HTTP Thank you in advance! asked 09 Aug '11, 14:49  Migdalia edited 29 Feb '12, 19:13  cmaynard ♦♦ |
One Answer:
The filter "http" will be a good start :-) answered 09 Aug '11, 14:59  SYN-bit ♦♦ |
Thank you for your response! ... I am adding more details:
My trace file has hundred of streams to the same server, but not all the streams have an object (file download). I would like to filter the complete conversations (TCP and http packets)for the streams that have objects. I get a good filter when I do the following:
With this output, I identify the streams that have objects, and manually create a filter like: (tcp.stream == 25) || (tcp.stream == 49) || (tcp.stream == 70) || (tcp.stream == 77) || (tcp.stream == 83)
This works for trace files with few objects, but not when the list is long. I would like something like: "tcp.stream contains <filename>", but "contains" cannot be used as an operator with tcp.stream Is there an easy way to accomplish this? Thank you.
(converted your "answer" to a "comment", please see the FAQ for details)
The filtering mechanism is currently only able to select frames that match a particular pattern. It is not capable of selecting a whole session (tcp stream) based on something in the stream.
The way I work around this is to use some scripting around tshark. Please see the presentation I gave at Sharkfest for more info on how to do that.
An other way would be to use MATE or LUA, but I have not used them enough myself to explain how to use them.