On Sun, Jan 13, 2008 at 03:50:19PM +0800, chunhui CHE wrote:
>
> i am doing something about network traffic classification. when i use
> wireshark to collect some training data, i found it didn't work very well,
> sometimes. for example, when i type " tshark -r <file> -w <file> -R "http" "
> in command line and get some data about http(Hypertext Transfer Protocol). i
> found it also contains many p2p traffic. i am wondering how wireshark define
> the display filter "http". can i get some information about it in the source
> code? and how? can you tell me in which file?
http can be used as a transport for a variety of things, including p2p
traffic. Filtering on http just filters out traffic (on specific ports)
that use the http protocol as a transport medium. It does not look into
the http traffic to see what kind of objects are transported.
If you want to look at the source-code, you can download the source
tarball from the website and have a look at the files:
- epan/dissectors/packet-http.c
- epan/dissectors/packet-http.h
- epan/req_resp_hdrs.c
- epan/req_resp_hdrs.h
Which take care of (most of the) http processing.
If you don'w want to download the source code, you can find the files
online at:
http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/
And then browse to the specific files mentioned above.
> i am sorry , my English is poor. i hope you all can understand my question,
> an give some help. thx.
No worries, there are more non-native English speakers here ;-)
Cheers
Sake
