wireshark-users October 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] Filtering HTTP Get Reques

Re: [Wireshark-users] Filtering HTTP Get Requests in reassambled PDUs

From: Jaap Keuter <jaap.keuter_at_nospam>
Date: Tue Oct 12 2010 - 14:13:56 GMT
To: Community support list for Wireshark <wireshark-users@wireshark.org>

Hi,

That's bug 3315 [1], which you may be able to work around by
adding "or ip.flags.mf==1" to your filter expression (if IP
fragmentation is applicable).

Thanks,
Jaap

On Tue, 12 Oct 2010
15:38:31 +0200, "Gerd Windisch" wrote:

Dear all,

I am trying to
filter all GET-requests to a certain server out of a PCAP file. The
display filter rule I use is "http.host contains servername". This works
fine as long as I am having the complete PCAP file. Then I save the
filtered packets in a new PCAP file. When I in turn open this PCAP file,
the GET-requests, which weren't in a fragmented PDU, are shown
correctly. However, the others (the fragmented GET-requests) are now
displayed as "Continuation or non-HTTP traffic". I found out that the
dissection of the complete PCAP file makes use of packet data of
neighboring packets, which are not saved in the output PCAP file.

The
save procedure only saves the last packet of the fragmented PDU. Is
there any solution to save all required packets in the resulting PCAP
file, which allows for proper dissection later on?

Thanks in advance
for your help

Regards

Gerd Windisch

 

Links:
------
[1]
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3315

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe