This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I filter streams that contain file downloads?

0

What filter can I use to obtain the streams associated to the objects that are listed when doing the following in Wireshark? - File/Export/Objects/HTTP

Thank you in advance!

asked 09 Aug '11, 14:49

Migdalia's gravatar image

Migdalia
1111
accept rate: 0%

edited 29 Feb '12, 19:13

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


One Answer:

0

The filter "http" will be a good start :-)

answered 09 Aug '11, 14:59

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank you for your response! ... I am adding more details:

My trace file has hundred of streams to the same server, but not all the streams have an object (file download). I would like to filter the complete conversations (TCP and http packets)for the streams that have objects. I get a good filter when I do the following:

File/Export/Objects/HTTP

With this output, I identify the streams that have objects, and manually create a filter like: (tcp.stream == 25) || (tcp.stream == 49) || (tcp.stream == 70) || (tcp.stream == 77) || (tcp.stream == 83)

This works for trace files with few objects, but not when the list is long. I would like something like: "tcp.stream contains <filename>", but "contains" cannot be used as an operator with tcp.stream Is there an easy way to accomplish this? Thank you.

(09 Aug '11, 16:14) Migdalia

(converted your "answer" to a "comment", please see the FAQ for details)

The filtering mechanism is currently only able to select frames that match a particular pattern. It is not capable of selecting a whole session (tcp stream) based on something in the stream.

The way I work around this is to use some scripting around tshark. Please see the presentation I gave at Sharkfest for more info on how to do that.

(10 Aug '11, 00:38) SYN-bit ♦♦

An other way would be to use MATE or LUA, but I have not used them enough myself to explain how to use them.

(10 Aug '11, 00:53) SYN-bit ♦♦