Re: How to filter all the http related stuff from a pcap file

[Abhijit Bare <abhibare () gmail com>]

This may be happening because a typical real-life HTTP session uses multiple
TCP connections to the web server. So you probably have multiple HTTP/TCP
streams going on at the same time and "Follow TCP stream" catches only one
of them at a time. Please look at client side port numbers to verify if this
is the case. I have few more suggestions.

1. Use "tcpflow". I haven't used myself, but it seems to be a program for
this.
2. Look at "conversations" dialog in Wireshark to find all TCP streams in
your pcap file. Then change filter to "tcp.stream eq 0" or "tcp.stream eq 1"
and so on and do "Follow TCP stream" on each of them. This will nicely
separate all streams.
3. #2 can be automated using this:
http://www.wireshark.org/lists/wireshark-users/200911/msg00162.html

- Abhijit


On Sun, May 2, 2010 at 2:31 PM, Ashish Jain <ashjain2 () gmail com> wrote:

> Thanks everyone for all the suggestions.
> Sadly I am still not able to make it work :(. I have tried the following
> [1] File->Export->Objects->HTTP does not display any results.
> [2] Sort by HTTP but I see protocols for all the packet as TCP so this also
> does not work.
> [3] I applied the filter "http.request.method == GET or http.request.method
> == POST"
> and this also does not display any results. I later tried with
> http.request.method == GET
> even than I did not get any results.
>
> The only way I am able to see data for may be 200 packets is by selecting
> one packet and
> using the option "follow tcp stream". Once I do that I see the following:
>
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> GET /XXXXX/quickview.do?id=100&rows=50 HTTP/1.1
> Accept: */*
> Accept-Language: en-us
> UA-CPU: x86
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
> 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
> Host: abc.xyz.com
> Connection: Keep-Alive
> Cookie: JSESSIONID=300441658D8EABD7119231C4FF0CB0B5; KSS_USR_ID=TERYUI;
> KSS_USR_NM="Gujrati Dhokle"
>
> HTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Pragma: no-cache
> Cache-Control: no-cache
> Content-Type: text/html;charset=ISO-8859-1
> Transfer-Encoding: chunked
> Date: Thu, 29 Apr 2010 14:27:49 GMT
>
> 2000
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>
> I am looking to get all the data as displayed above.
> Thanks for all your help
>
> --Ashish
> On Mon, May 3, 2010 at 1:05 AM, sandeep nitta <sandeep.nitta () gmail com>wrote:
>
> > how about applying the display filter : "http.request.method == GET or
> > http.request.method == POST" and then saving the data into a new file?
> >
> > by the way, file|export|objects|http didnt work for me. i am attaching
> > the file for analysis, if anyone can point why it didnt work.
> > i am using v 1.2.4 of wireshark on win xp
> >
> > Thanks,
> > sandeep Nitta
> >
> > On Fri, Apr 30, 2010 at 10:48 PM, Sheahan, John
> > <John.Sheahan () priceline com> wrote:
> > > I usually just sort the traffic by protocol in the display and I get an
> > nice
> > > concise view of all the HTTP traffic
> > >
> > >
> > >
> > > From: wireshark-users-bounces () wireshark org
> > > [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Ashish Jain
> > > Sent: Friday, April 30, 2010 6:50 AM
> > > To: wireshark-users () wireshark org
> > > Subject: [Wireshark-users] How to filter all the http related stuff from
> > a
> > > pcap file
> > >
> > >
> > >
> > > Hi All,
> > >
> > > This is my very first post to wireshark community. I am newbie and have
> > > recently installed wireshark to analyse a pcap file.
> > > The pcap file has around 84000 packets so it is not possible to manually
> > see
> > > the data in each packet. I want to get all the
> > > data related to http get and post in one file. I tried "follow tcp
> > stream"
> > > but I see very limited stuff in it and not everything.
> > > Can someone guide me on this.
> > >
> > > Thanks
> > > Ashish
> > ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list <
> > wireshark-users () wireshark org>
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >             mailto:wireshark-users-request () wireshark org
> > ?subject=unsubscribe
> > >
> >
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> > ?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe