Nope, you're not missing anything, I omitted something ;-)
Indeed rightshifting is a division, but I forgot to mention that in taking the upper 4 bits by anding with 0xf0, the result must first be devided by 16. So rightshifting 4 bits and then leftshifting two bits. Result: rightshifting 2 bits.
Cheers,
Sake On 4 mrt 2010, at 06:17, Jehanzeb Khan wrote: Hi Sake I hope all is well at your end. I was just wondering if shifting right would be division instead of multiplication? Or am i missing something?
Regards Jehanzeb
From: Sake Blok <sake@xxxxxxxxxx> To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Sent: Thu, March 4, 2010 2:42:29 AM Subject: Re: [Wireshark-users] Hex Offset Needed
Or if your capturing device is capable of interpreting tcpdump style filters (or more accurately, BPF style filters), you could use:
tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] = 0x2030
Which in English would be: - take the upper 4 bits of the 12th octet in the tcp header ( tcp[12:1] & 0xf0 ) - multiply it by four ( (tcp[12:1] & 0xf0)>>2 ) which should give the tcp header length - add 8 ( ((tcp[12:1] & 0xf0) >> 2) + 8 ) gives the offset into the tcp header of the space before the first octet of the response code - now take two octets from the tcp stream, starting at that offset ( tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] ) - and verify that they are " 0" ( = 0x2030 )
Of course this can give you false positives, so you might want to add a test for "HTTP" and the start of the tcp payload with:
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450
resulting in the filter:
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 and tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] = 0x2030
A bit cryptic, but it works, even when TCP options are present (which would mess up a fixed offset into the tcp data).
Cheers,
Sake
On 3 mrt 2010, at 18:17, Abhijit Bare wrote: Hi John,
Can you use "http/1.1" string as an indicator of response code? Only HTTP response packets have "http/1.1" or "http/1.0" (case can be upper) followed by a <space> followed by http response code (look for one digit). If you can parse this out while stream is coming in and that digit is "0", will that mean that you have found the packet? HTTP request also has "http/1.1", but there is generally no space and digit following it. Other traffic may not have the same pattern too.
Thanks, Abhijit
On Tue, Mar 2, 2010 at 5:09 AM, Sheahan, John <John.Sheahan@xxxxxxxxxxxxx> wrote: Good points Martin.
You’re right about there being no HTTP response code of 0.
The software that the web guys use to analyze the front end web traffic will put a “0” in if it finds a packet that has an http accept and for some reason the HTTP response code is missing or unreadable and these are the packets that I’m trying to capture however there is so much HTTP traffic on the web segment that my buffer fills up in seconds so I need to try and narrow it down with a filter.
The only things I have to go by are:
1. Sometimes the HTTP Response code can’t be read. 2. The problem seems to come from Safari browsers on MAC machines
Since the User Agent data comes after a variable length Accept field as you point out, wouldn’t be easier for me at this point to filter on just Accept messages? I think if I do it this way, it will take a good amount of time to fill up the buffer and I can look to the web admins to tell me when they see the error in their logs and match it up that way?
Thanks for the help
John
John, This is a bit tricky. Firstly I don't believe that there is a HTTP response code (or status code) with a value of "0" Also the HTTP "User-Agent" is going to go out in the request, and is not seen in the response. So whatever you do needs to be "stateful" knowing that the response is associated with a particular requests. Also I don't think there is a guarantee and on the "offset" in a packet where the response code will be and almost certainly not for the "User-Agent" string as it usually preceded by the "Accept" string which is quite variable amongst browsers. However you can use the Wireshark "Packet Bytes" pane (usually at the bottom of the window) to see if you cand devise something that is a "good enough" filter to limit what you capture and then refine it further with Wireshark to do it properly. Regards, Martin
MartinVisser99@xxxxxxxxx
On Tue, Mar 2, 2010 at 11:36 AM, Sheahan, John <John.Sheahan@xxxxxxxxxxxxx> wrote: Another way for me to track this problem down is for me to sniff all Safari browsers on MAC’s using HTTP coming into our webservers.
I will need to create a filter using the offset values for:
HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en)
Can anyone help me this together?
Thanks
john
I am trying to troubleshoot an HTTP problem where the StatusCode=0 in the HTTP header. I need to capture packets containing this parameter but since I am doing it on a Netscout probe, I have no way to figure out the offset of this in a packet.
Can anyone tell me what hex offset I would need to put in as a filter to capture these packets?
Thanks
John ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
|