This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I am trying to find a way to display all HTTP requests AND the relevant responses that match a specific URI, say /images/*, from a capture file.

I appreciate that I can match the request packet with http.request.uri, but is it possible to also select the packets related to the responses?

Regards

asked 27 Oct '10, 01:47

rtector's gravatar image

rtector
1224
accept rate: 0%


Wireshark by itself is not capable of doing that. You might be able to achieve this by using MATE or LUA.

However, there is another way, you can use tshark to create a new file that contains only the HTTP requests/responses that you are interested in. Have a look at the presentation I gave at Sharkfest to see how this can be done.

permanent link

answered 28 Oct '10, 15:27

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hmm... that is tough because you'd need to find a value in the response packet that ties it to the request packet - such as the name of the file embedded in the file that is being sent.

Since that isn't usually what happens, your best bet may be to find the packet of interest using the filter you defined and then right-click on the packet, Follow TCP Stream - you'll see all the requested URIs and responses for that connection though.

If you are trying to reassemble those requested URIs, try File > Export > Objects > HTTP.

permanent link

answered 27 Oct '10, 20:26

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

Hi. Thank you for your answer but unfortunately the requests are pipelined (reverse proxy to server farm) and so the TCP stream is not much use. Additionally, I needed to do this on a large scale :)

Regards

(04 Nov '10, 04:45) rtector
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×293
×49
×40
×5

question asked: 27 Oct '10, 01:47

question was seen: 6,879 times

last updated: 04 Nov '10, 04:45

p​o​w​e​r​e​d by O​S​Q​A