Wireshark mailing list archives
Re: filter for ONLY initial get request
From: Sake Blok <sake () euronet nl>
Date: Mon, 9 Aug 2010 17:25:04 +0200
On 8 aug 2010, at 18:22, Jeffs wrote:
so use (http.request.method == "GET")&& (http.request.uri == "/")Thank you! that is very much what I am looking for. Does wireshark take regex expressions because after using your filter (which gets me about 80% of what I need) I see there are many URLs which look like this, which I would also like: www.domainname.com/landingpagelink and the http.request.uri == "/" will not capture those embedded links because of the trailing "/landingpagelink"
What is your ultimate goal? There are several scenario's how HTTP objects are requested, each with their own way of detecting. There might not be an easy way to accomplish exactly what you want without false positives or false negatives. You might also have a look at all requests that don't have a "Referer:" header. This means the URL was typed in manually. You can use the filter 'http.request.method=="GET" && ! http.referer', but that would miss all the landing pages that were visited by clicking on a link from other sites (like clicking on a search result in Google). If you also want to landingpages of sites that were visited by clicking on a link in another site, then you would need to do some analysis on the Referer: header. You might want to include only requests in your output for which the referer header contains a different host-part as the host header in the request. This might be possible with some LUA scripting. If not, it's definitely possible by using tshark and some CLI scripting. But the most important part in solving your problem is to exactly define which requests should be listed and which ones should not. Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- filter for ONLY initial get request Jeffs (Aug 07)
- Re: filter for ONLY initial get request David Alanis (Aug 07)
- Re: filter for ONLY initial get request Jeffs (Aug 07)
- Re: filter for ONLY initial get request David Alanis (Aug 07)
- Re: filter for ONLY initial get request j.snelders (Aug 08)
- Re: filter for ONLY initial get request Jeffs (Aug 09)
- Re: filter for ONLY initial get request j.snelders (Aug 09)
- Re: filter for ONLY initial get request Sake Blok (Aug 09)
- Re: filter for ONLY initial get request Sake Blok (Aug 09)
- Re: filter for ONLY initial get request Jeffs (Aug 09)
- Re: filter for ONLY initial get request Jeffs (Aug 09)
- Re: filter for ONLY initial get request Sake Blok (Aug 09)
- Re: filter for ONLY initial get request Jeffs (Aug 10)
- Re: filter for ONLY initial get request Sake Blok (Aug 11)
- Re: filter for ONLY initial get request Jeffs (Aug 11)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 11)
- Re: filter for ONLY initial get request Jeffs (Aug 11)
- Re: filter for ONLY initial get request Thierry Emmanuel (Aug 12)
- Re: filter for ONLY initial get request Sake Blok (Aug 12)
- Re: filter for ONLY initial get request Jeffs (Aug 07)
- Re: filter for ONLY initial get request David Alanis (Aug 07)