Wireshark-users: Re: [Wireshark-users] filter for ONLY initial get request

From: "Thierry Emmanuel" <Emmanuel.Thierry@xxxxxxxxxxxxxxx>
Date: Thu, 12 Aug 2010 18:33:58 +0200

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jeffs
Sent: jeudi 12 août 2010 15:54
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] filter for ONLY initial get request


> I can't understand how those other domains get in there with Sake's 
filter of "http.request and http.accept contains "text/html"?

I have tested. And you are right. The Accept header seems to be a filter for the browser to negotiate accepted content with the server. And this filer can be very large according to the browser. For example, with Opera, some files have a "*/*" accept header. Some javascript scripts or dll have an accept header which contains "text/html". I didn't know how this header behaved before so I didn't notice, but it seems this one will not suit.
In my humble opinion, the most relevant header is the http.content_type which is in the http response, so if there is not a solution to that problem, you'll have to use this one. You'll have to make a relation between the request (to have the domain name) and the response (to have the true mime-type information). It isn't simple to do so, I think you'll have to make a script. We have a great chance that http is commonly over tcp so I advise you to use the tcp.stream field to establish this link.

I invite Sake to react another time about this issue because he may have another solution to fix that problem.

Best regard