Wireshark-users: Re: [Wireshark-users] How to filter all the http related stuff from a pcap file

From: Ashish Jain <ashjain2@xxxxxxxxx>
Date: Mon, 3 May 2010 02:01:28 +0530
Thanks everyone for all the suggestions.
Sadly I am still not able to make it work :(. I have tried the following
[1] File->Export->Objects->HTTP does not display any results.
[2] Sort by HTTP but I see protocols for all the packet as TCP so this also does not work.
[3] I applied the filter "http.request.method == GET or http.request.method == POST"
and this also does not display any results. I later tried with http.request.method == GET
even than I did not get any results.
 
The only way I am able to see data for may be 200 packets is by selecting one packet and
using the option "follow tcp stream". Once I do that I see the following:
 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
GET /XXXXX/quickview.do?id=100&rows=50 HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: abc.xyz.com
Connection: Keep-Alive
Cookie: JSESSIONID=300441658D8EABD7119231C4FF0CB0B5; KSS_USR_ID=TERYUI; KSS_USR_NM="Gujrati Dhokle"
 
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 29 Apr 2010 14:27:49 GMT
 
2000
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
I am looking to get all the data as displayed above.
Thanks for all your help

--Ashish
On Mon, May 3, 2010 at 1:05 AM, sandeep nitta <sandeep.nitta@xxxxxxxxx> wrote:
how about applying the display filter : "http.request.method == GET or
http.request.method == POST" and then saving the data into a new file?

by the way, file|export|objects|http didnt work for me. i am attaching
the file for analysis, if anyone can point why it didnt work.
i am using v 1.2.4 of wireshark on win xp

Thanks,
sandeep Nitta

On Fri, Apr 30, 2010 at 10:48 PM, Sheahan, John
<John.Sheahan@xxxxxxxxxxxxx> wrote:
> I usually just sort the traffic by protocol in the display and I get an nice
> concise view of all the HTTP traffic
>
>
>
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Ashish Jain
> Sent: Friday, April 30, 2010 6:50 AM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] How to filter all the http related stuff from a
> pcap file
>
>
>
> Hi All,
>
> This is my very first post to wireshark community. I am newbie and have
> recently installed wireshark to analyse a pcap file.
> The pcap file has around 84000 packets so it is not possible to manually see
> the data in each packet. I want to get all the
> data related to http get and post in one file. I tried "follow tcp stream"
> but I see very limited stuff in it and not everything.
> Can someone guide me on this.
>
> Thanks
> Ashish
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe