This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I know that http POST packet is captured by tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354 BPF syntax.

but, this syntax has a problem.

If the size of the http POST packet is large, the POST data is divided and transmitted. (Info column has Continuation in the packet)

At that time, Wireshark does not collect the divided packets.

How do I collect these separate http POST packets?

Which BPF filter should I use?

asked 21 Dec '16, 17:05

cds0915's gravatar image

cds0915
0113
accept rate: 0%

edited 21 Dec '16, 23:49

Jaap's gravatar image

Jaap ♦
11.7k16101


I don't think it's possible to apply capture filters that have to use dependencies on other packets. In your case you'd need something that captures frames that are follow-up frames of a POST frame. As far as I know there's no way to keep track of something like this during capture.

The only way to get it all is to capture HTTP completely I'm afraid.

permanent link

answered 22 Dec '16, 00:41

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Filters (whether capture or display) can only operate on a single packet at a time, they decide whether the packet is in our out.

There is no "memory" of packets that have gone before.

(22 Dec '16, 01:06) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×293
×122
×49
×31
×3

question asked: 21 Dec '16, 17:05

question was seen: 3,158 times

last updated: 22 Dec '16, 01:06

p​o​w​e​r​e​d by O​S​Q​A