Wireshark-users: Re: [Wireshark-users] Hex Offset Needed
Good points Martin. You’re right about there being no HTTP response code of 0. The software that the web guys use to analyze the front end web
traffic will put a “0” in if it finds a packet that has an http accept and for
some reason the HTTP response code is missing or unreadable and these are the
packets that I’m trying to capture however there is so much HTTP traffic on the
web segment that my buffer fills up in seconds so I need to try and narrow it
down with a filter. The only things I have to go by are: 1.
Sometimes the HTTP Response code can’t be read. 2.
The problem seems to come from Safari browsers on MAC machines Since the User Agent data comes after a variable length Accept
field as you point out, wouldn’t be easier for me at this point to filter on
just Accept messages? I think if I do it this way, it will take a good amount
of time to fill up the buffer and I can look to the web admins to tell me when
they see the error in their logs and match it up that way? Thanks for the help John From:
wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Martin
Visser John, This is a bit tricky. Firstly I don't believe that there is
a HTTP response code (or status code) with a value of "0" (See http://en.wikipedia.org/wiki/List_of_HTTP_status_codes and
the RFCs ) Also the HTTP "User-Agent" is going to
go out in the request, and is not seen in the response. So whatever you do
needs to be "stateful" knowing that the response is associated with a
particular requests. Also I don't think there is a guarantee and on the
"offset" in a packet where the response code will be and almost
certainly not for the "User-Agent" string as it usually
preceded by the "Accept" string which is quite variable amongst
browsers. However you can use the Wireshark "Packet Bytes"
pane (usually at the bottom of the window) to see if you cand devise something
that is a "good enough" filter to limit what you capture and then
refine it further with Wireshark to do it properly. On Tue, Mar 2, 2010 at 11:36 AM, Sheahan, John <John.Sheahan@xxxxxxxxxxxxx>
wrote: Another way for me to track this problem down is
for me to sniff all Safari browsers on MAC’s using HTTP coming into our
webservers. I will need to create a filter using the offset values
for: HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10_4_11; en) Can anyone help me this together? Thanks john From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx]
On Behalf Of Sheahan, John I
am trying to troubleshoot an HTTP problem where the StatusCode=0 in the HTTP
header.
Can
anyone tell me what hex offset I would need to put in as a filter to capture
these packets? Thanks John
|
- Follow-Ups:
- Re: [Wireshark-users] Hex Offset Needed
- From: Abhijit Bare
- Re: [Wireshark-users] Hex Offset Needed
- References:
- [Wireshark-users] Hex Offset Needed
- From: Sheahan, John
- Re: [Wireshark-users] Hex Offset Needed
- From: Sheahan, John
- Re: [Wireshark-users] Hex Offset Needed
- From: Martin Visser
- [Wireshark-users] Hex Offset Needed
- Prev by Date: Re: [Wireshark-users] Dissectors for SMS over 3GPP IMS Network
- Next by Date: [Wireshark-users] 802.11 QBSS Load Element (channel utilization)
- Previous by thread: Re: [Wireshark-users] Hex Offset Needed
- Next by thread: Re: [Wireshark-users] Hex Offset Needed
- Index(es):