Wireshark-users: [Wireshark-users] Methods for finding "extraneous" http traffic

Date Prev · Date Next · Thread Prev · Thread Next
From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Tue, 31 Oct 2006 15:39:59 -0500
I am working with some large network captures.  Most of the traffic is
http (actually http to a proxy server listening on TCP/8080).

I would like to find a way to classify the traffic - something like:
Plain vanilla http (web pages)
Tunneling protocols (SSL VPNs, IM, or anything else tunneling through
http/http proxy)
Large images
Video/Streaming Media
Etc.

I realize you can look by hand, but during a typical two minute capture,
I am getting around 100,000 packets so I need a pattern match.  This
list has been great - for example after reading about dumpcap I used
that instead of Wireshark to do the capture and it worked fabulously.  I
am hoping to glean some insight into how to deal with this!

This is for several reasons including security and especially for
bandwidth management.  I would like to be able to see for example, what
percentage of my traffic/bandwidth is being eaten up by large
images/video/streaming media.

Any ideas, suggestions, links, references or advice would be greatly
appreciated.

Thank you,
  --Jim