Wireshark – Display-Filter Corresponding Response to Request

filtertsharkwireshark

I am just tracing a very sporadic error in responses to HTTP requests to a specific resource on an embedded device's webserver.

So my plan is to run a test over night (or even weekend), capture the traffic with wireshark and then skim the dumpfiles for damaged responses.

With "http.request.uri matches "^/resource/to/be/tested" display filter I get all wanted requests.

But I need all the responses to these requests – how can I archive this?

Best Answer

You can do it with tshark follow the below steps:

Filter all HTTP packets with specific pattern in request uri
Follow TCP stream based on src IP, src port, dst IP, dst port

$ tshark -r x.pcap -R 'http.request.uri matches "^/resource/to/be/tested"' \
-T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | \
while read line; do 
    tshark -r x.pcap \
    -R "http && ip.addr == `echo $line | awk '{ print $1 }'` && \
    tcp.port == `echo $line | awk '{ print $2 }'` && \
    ip.addr == `echo $line | awk '{ print $3 }'` && \
    tcp.port == `echo $line | awk '{ print $4 }'`" \
    echo
done

Related Solutions

How to filter http traffic in Wireshark

Ping packets should use an ICMP type of 8 (echo) or 0 (echo reply), so you could use a capture filter of:

icmp

and a display filter of:

icmp.type == 8 || icmp.type == 0

For HTTP, you can use a capture filter of:

tcp port 80

or a display filter of:

tcp.port == 80

or:

http

Note that a filter of http is not equivalent to the other two, which will include handshake and termination packets.

If you want to measure the number of connections rather than the amount of data, you can limit the capture or display filters to one side of the communication. For example, to capture only packets sent to port 80, use:

dst tcp port 80

Couple that with an http display filter, or use:

tcp.dstport == 80 && http

For more on capture filters, read "Filtering while capturing" from the Wireshark user guide, the capture filters page on the Wireshark wiki, or pcap-filter (7) man page. For display filters, try the display filters page on the Wireshark wiki. The "Filter Expression" dialog box can help you build display filters.

How to filter for HTTP 500 responses and their requests in Wireshark

I believe you will have to put a capture filter for all HTTP traffic, and then put in a display filter for the http.response.code == 500
After you have found a response code, remove the display filter and then use the Follow TCP Stream -or- the Conversation Filter to find the related packets...

Best Answer

Related Solutions

How to filter http traffic in Wireshark

How to filter for HTTP 500 responses and their requests in Wireshark

Related Topic