On 8 aug 2010, at 18:22, Jeffs wrote:
>> so use
>> (http.request.method == "GET")&& (http.request.uri == "/")
>>
> Thank you! that is very much what I am looking for. Does wireshark
> take regex expressions because after using your filter (which gets me
> about 80% of what I need) I see there are many URLs which look like
> this, which I would also like:
>
> www.domainname.com/landingpagelink
>
> and the http.request.uri == "/"
>
> will not capture those embedded links because of the trailing
> "/landingpagelink"
What is your ultimate goal? There are several scenario's how HTTP objects are requested, each with their own way of detecting. There might not be an easy way to accomplish exactly what you want without false positives or false negatives.
You might also have a look at all requests that don't have a "Referer:" header. This means the URL was typed in manually. You can use the filter 'http.request.method=="GET" && ! http.referer', but that would miss all the landing pages that were visited by clicking on a link from other sites (like clicking on a search result in Google).
If you also want to landingpages of sites that were visited by clicking on a link in another site, then you would need to do some analysis on the Referer: header. You might want to include only requests in your output for which the referer header contains a different host-part as the host header in the request. This might be possible with some LUA scripting. If not, it's definitely possible by using tshark and some CLI scripting.
But the most important part in solving your problem is to exactly define which requests should be listed and which ones should not.
Cheers,
Sake
