Ethereal-users: Re: [Ethereal-users] Filtering HTTP-Traffic for Content-Type

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Wed, 28 May 2003 21:10:38 +0100
Guy Harris wrote:

>On Wed, May 28, 2003 at 02:08:46PM +0200, spam wrote:
>> Is there a possibility to filter HTTP-Traffic for "Content-Type:
>> text/html" ? I just want HTTP-Traffic displayed which ist text/html.
>
>No.  The HTTP dissector currently doesn't put HTTP headers into the
>protocol tree as "named fields"; that might be something useful for
>somebody to add.

I agree with Guy that the best approach would be to make modifications to the http dissector,
but I want to mention that the ngrep program could be useful if you need to search for strings anywhere in a packet.
http://www.packetfactory.net/Projects/ngrep/
http://www.linuxgazette.com/issue57/eyler2.html
http://ngrep.sourceforge.net/ngrep.8.html

>ngrep -I http.pcap -O outfile.pcap "Content-Type: text/html"

It's also possible to combine the "match expression" with a tcpdump style filter as in the following example:

>ngrep -I http.pcap -O outfile.pcap "Content-Type: text/html" host 10.0.0.1 and tcp port 80

However I guess that you may not get the packets that are fragmented somewhere in the "Content-Type: text/html" string,
i.e. if not the whole string is in the same packet.

I have not used ngrep so much myself yet, so I don't know so much about it.

Regards,
  Martin