I know that http POST packet is captured by tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354 BPF syntax. but, this syntax has a problem. If the size of the http POST packet is large, the POST data is divided and transmitted. (Info column has Continuation in the packet) At that time, Wireshark does not collect the divided packets. How do I collect these separate http POST packets? Which BPF filter should I use? asked 21 Dec '16, 17:05 cds0915 edited 21 Dec '16, 23:49 Jaap ♦ |
One Answer:
I don't think it's possible to apply capture filters that have to use dependencies on other packets. In your case you'd need something that captures frames that are follow-up frames of a POST frame. As far as I know there's no way to keep track of something like this during capture. The only way to get it all is to capture HTTP completely I'm afraid. answered 22 Dec '16, 00:41 Jasper ♦♦ |
Filters (whether capture or display) can only operate on a single packet at a time, they decide whether the packet is in our out.
There is no "memory" of packets that have gone before.