Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Wireshark-users: [Wireshark-users] tshark filter question

Date Index Thread Index Other Months All Mailing Lists

Date Prev Date Next Thread Prev Thread Next

From: "Deapesh Misra" <deapesh@xxxxxxxxx>
Date: Wed, 1 Oct 2008 16:43:27 -0400

Hi,

I have a pcap with multiple POST and GET requests in it. Lets say this
is the format:

===================
Frame a --- GET blah-a1

Frame b --- GET blah-b1
Frame b --- GET blah-b2
Frame b --- POST blah-b3

Frame c --- POST blah-c1
===================
(I guess some kind of HTTP Pipelining is going on here)

Now, I want to get the frame numbers and the the URIs for all packets
in which either a GET or a POST request has been sent. So I wrote this
filter:

tshark -T fields -e frame.number  -e http.request.uri -r FILENAME.pcap
-R "http.request.method contains GET || http.request.method contains
POST"

But this filter ends up returning:
===================
Frame a --- GET blah-a1

Frame b --- POST blah-b3

Frame c --- POST blah-c1
===================

The two other requests within Frame b are missing (Frame b --- GET
blah-b1 and Frame b --- GET blah-b2). It seems that the filter has to
be modified to get these, but how?
Any reading material that I should go through to get this right?

thanks,
Deapesh.

Prev by Date: Re: [Wireshark-users] Unexplained Netbios Traffic
Next by Date: Re: [Wireshark-users] Unexplained Netbios Traffic
Previous by thread: Re: [Wireshark-users] summery of unique socket connections
Next by thread: [Wireshark-users] Microsoft OCS
Index(es):
- Date
- Thread