Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] filter for ONLY initial get request

From: David Alanis <canito@xxxxxxxx>
Date: Sun, 08 Aug 2010 01:20:35 -0500
Quoting Jeffs <jeffs@xxxxxxxxxxxxx>:

On 8/8/2010 12:02 AM, David Alanis wrote:
Quoting Jeffs<jeffs@xxxxxxxxxxxxx>:


I am working on a project which requires that the traffic across the
network grab ONLY the initial get request for http requests.  Usually,
if I use something like wireshark or justniffer, on a single user's get
request for, say, http://www.nytimes.com, I will receive all the
following traffic and then some, based on just one request to
http://www.nytimes.com:

nytimes.com
timespeople.nytimes.com
c.brightcove.com
admin.brightcove.com
graphics8.nytimes.com
s0.2mdn.net


Is there  a way in wireshark or in any other network analysis tool to
grab or filter out just the initial http request for the domain and
disregard all the other follow up hosts (usually associated advertising)
that accompanies these requests?

In other words, all I want to log or see in the filter results, in the
above example, would be:

nytimes.com



Thank you.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


I put it a simple filter of:

http.request || tcp contains domain.com

and it appears to have accomplished what you asked.

Cheers-

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



That works if I know the domain name.  In this scenario the nytimes.com
domain was just used as an example.  In the real world there will be no
way of knowing what the domains will be that people surf to.

I'm guessing there is no way within wireshark  to extract ONLY the very
first http get request from a transaction.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


Not sure what your ultimate goal here is but give this filter a try as it only displays the initial GET / HTTP/1.1 request and nothing else...

http.request.uri == "/"

Cheers-


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.