Wireshark-users: Re: [Wireshark-users] Hex Offset Needed
From: Martin Visser <[email protected]>
Date: Tue, 2 Mar 2010 13:52:39 +1100
John,

This is a bit tricky. Firstly I don't believe that there is a HTTP response code (or status code) with a value of "0"


Also the HTTP "User-Agent" is going to go out in the request, and is not seen in the response. So whatever you do needs to be "stateful" knowing that the response is associated with a particular requests.

Also I don't think there is a guarantee and on the "offset" in a packet where the response code will be and almost certainly not for the "User-Agent"  string as it usually preceded by the "Accept" string which is quite variable amongst browsers. 

However you can use the Wireshark "Packet Bytes" pane (usually at the bottom of the window) to see if you cand devise something that is a "good enough" filter to limit what you capture and then refine it further with Wireshark to do it properly.


 
Regards, Martin

[email protected]


On Tue, Mar 2, 2010 at 11:36 AM, Sheahan, John <[email protected]> wrote:

Another way for me  to track this problem down is for me to sniff all Safari browsers on MAC’s using HTTP coming into our webservers.

 

I will need to create a filter using the offset values for:

 

HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en)

 

Can anyone help me this together?

 

Thanks

 

john

 

 

 

From: [email protected] [mailto:[email protected]] On Behalf Of Sheahan, John
Sent: Monday, March 01, 2010 5:38 PM
To: 'Community support list for Wireshark'
Subject: [Wireshark-users] Hex Offset Needed

 

I am trying to troubleshoot an HTTP problem where the StatusCode=0 in the HTTP header.


I need to capture packets containing this parameter but since I am doing it on a Netscout probe, I have no way to figure out the offset of this in a packet.

 

Can anyone tell me what hex offset I would need to put in as a filter to capture these packets?

 

Thanks

 

John


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:[email protected]?subject=unsubscribe