Wireshark mailing list archives
Re: filter for ONLY initial get request
From: Jeffs <jeffs () speakeasy net>
Date: Thu, 12 Aug 2010 13:16:22 -0400
On 8/12/2010 12:33 PM, Thierry Emmanuel wrote:
-----Original Message----- From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Jeffs Sent: jeudi 12 août 2010 15:54 To: Community support list for Wireshark Subject: Re: [Wireshark-users] filter for ONLY initial get requestI can't understand how those other domains get in there with Sake'sfilter of "http.request and http.accept contains "text/html"? I have tested. And you are right. The Accept header seems to be a filter for the browser to negotiate accepted content with the server. And this filer can be very large according to the browser. For example, with Opera, some files have a "*/*" accept header. Some javascript scripts or dll have an accept header which contains "text/html". I didn't know how this header behaved before so I didn't notice, but it seems this one will not suit. In my humble opinion, the most relevant header is the http.content_type which is in the http response, so if there is not a solution to that problem, you'll have to use this one. You'll have to make a relation between the request (to have the domain name) and the response (to have the true mime-type information). It isn't simple to do so, I think you'll have to make a script. We have a great chance that http is commonly over tcp so I advise you to use the tcp.stream field to establish this link. I invite Sake to react another time about this issue because he may have another solution to fix that problem. Best regard
Okay, let me see if I have this right... Using a script I would look for the GET request to contain the domain name with the http.content_type == "text/html" in the server response. If both of those conditions are true, grab the domain. Is that the gist of it? ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: filter for ONLY initial get request, (continued)
- Re: filter for ONLY initial get request Jeffs (Aug 11)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 11)
- Re: filter for ONLY initial get request Jeffs (Aug 11)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
- Re: filter for ONLY initial get request Sake Blok (Aug 12)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
- Re: filter for ONLY initial get request Sake Blok (Aug 12)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
- Re: filter for ONLY initial get request Jeffs (Aug 12)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
- Re: filter for ONLY initial get request Jeffs (Aug 12)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 13)
- Re: filter for ONLY initial get request Jeffs (Aug 13)
- Re: filter for ONLY initial get request Martin Visser (Aug 15)
- Re: filter for ONLY initial get request Jeffs (Aug 12)
- libwsutil.so.0 => not found running tshark Jeffs (Aug 09)
- Re: libwsutil.so.0 => not found running tshark Jeff Morriss (Aug 10)