On 8/12/2010 12:33 PM, Thierry Emmanuel wrote:
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jeffs
Sent: jeudi 12 ao�t 2010 15:54
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] filter for ONLY initial get request
I can't understand how those other domains get in there with Sake's
filter of "http.request and http.accept contains "text/html"?
I have tested. And you are right. The Accept header seems to be a filter for the browser to negotiate accepted content with the server. And this filer can be very large according to the browser. For example, with Opera, some files have a "*/*" accept header. Some javascript scripts or dll have an accept header which contains "text/html". I didn't know how this header behaved before so I didn't notice, but it seems this one will not suit.
In my humble opinion, the most relevant header is the http.content_type which is in the http response, so if there is not a solution to that problem, you'll have to use this one. You'll have to make a relation between the request (to have the domain name) and the response (to have the true mime-type information). It isn't simple to do so, I think you'll have to make a script. We have a great chance that http is commonly over tcp so I advise you to use the tcp.stream field to establish this link.
I invite Sake to react another time about this issue because he may have another solution to fix that problem.
Best regard
Okay, let me see if I have this right... Using a script I would look
for the GET request to contain the domain name with the
http.content_type == "text/html" in the server response. If both of
those conditions are true, grab the domain.
Is that the gist of it?
