Re: filter for ONLY initial get request

["Thierry Emmanuel" <Emmanuel.Thierry () technicolor com>]

-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Jeffs
Sent: jeudi 12 août 2010 15:54
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] filter for ONLY initial get request


> I can't understand how those other domains get in there with Sake's 
filter of "http.request and http.accept contains "text/html"?

I have tested. And you are right. The Accept header seems to be a filter for the browser to negotiate accepted content 
with the server. And this filer can be very large according to the browser. For example, with Opera, some files have a 
"*/*" accept header. Some javascript scripts or dll have an accept header which contains "text/html". I didn't know how 
this header behaved before so I didn't notice, but it seems this one will not suit.
In my humble opinion, the most relevant header is the http.content_type which is in the http response, so if there is 
not a solution to that problem, you'll have to use this one. You'll have to make a relation between the request (to 
have the domain name) and the response (to have the true mime-type information). It isn't simple to do so, I think 
you'll have to make a script. We have a great chance that http is commonly over tcp so I advise you to use the 
tcp.stream field to establish this link.

I invite Sake to react another time about this issue because he may have another solution to fix that problem.

Best regard

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe