Re: How to filter all the http related stuff from a pcap file

[Ashish Jain <ashjain2 () gmail com>]

Thanks everyone for all the suggestions.
Sadly I am still not able to make it work :(. I have tried the following
[1] File->Export->Objects->HTTP does not display any results.
[2] Sort by HTTP but I see protocols for all the packet as TCP so this also
does not work.
[3] I applied the filter "http.request.method == GET or http.request.method
== POST"
and this also does not display any results. I later tried with
http.request.method == GET
even than I did not get any results.

The only way I am able to see data for may be 200 packets is by selecting
one packet and
using the option "follow tcp stream". Once I do that I see the following:

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
GET /XXXXX/quickview.do?id=100&rows=50 HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: abc.xyz.com
Connection: Keep-Alive
Cookie: JSESSIONID=300441658D8EABD7119231C4FF0CB0B5; KSS_USR_ID=TERYUI;
KSS_USR_NM="Gujrati Dhokle"

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 29 Apr 2010 14:27:49 GMT

2000
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

I am looking to get all the data as displayed above.
Thanks for all your help

--Ashish
On Mon, May 3, 2010 at 1:05 AM, sandeep nitta <sandeep.nitta () gmail com>wrote:

> how about applying the display filter : "http.request.method == GET or
> http.request.method == POST" and then saving the data into a new file?
>
> by the way, file|export|objects|http didnt work for me. i am attaching
> the file for analysis, if anyone can point why it didnt work.
> i am using v 1.2.4 of wireshark on win xp
>
> Thanks,
> sandeep Nitta
>
> On Fri, Apr 30, 2010 at 10:48 PM, Sheahan, John
> <John.Sheahan () priceline com> wrote:
> > I usually just sort the traffic by protocol in the display and I get an
> nice
> > concise view of all the HTTP traffic
> >
> >
> >
> > From: wireshark-users-bounces () wireshark org
> > [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Ashish Jain
> > Sent: Friday, April 30, 2010 6:50 AM
> > To: wireshark-users () wireshark org
> > Subject: [Wireshark-users] How to filter all the http related stuff from
> a
> > pcap file
> >
> >
> >
> > Hi All,
> >
> > This is my very first post to wireshark community. I am newbie and have
> > recently installed wireshark to analyse a pcap file.
> > The pcap file has around 84000 packets so it is not possible to manually
> see
> > the data in each packet. I want to get all the
> > data related to http get and post in one file. I tried "follow tcp
> stream"
> > but I see very limited stuff in it and not everything.
> > Can someone guide me on this.
> >
> > Thanks
> > Ashish
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
> >
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe