Dear all,
I am trying to filter all GET-requests to a
certain server out of a PCAP file. The display filter rule I use is “http.host
contains servername”. This works fine as long as I am having the complete
PCAP file. Then I save the filtered packets in a new PCAP file. When I in turn open
this PCAP file, the GET-requests, which weren’t in a fragmented PDU, are
shown correctly. However, the others (the fragmented GET-requests) are now
displayed as “Continuation or non-HTTP traffic”. I found
out that the dissection of the complete PCAP file makes use of packet data of neighboring
packets, which are not saved in the output PCAP file.
The save procedure only saves the last
packet of the fragmented PDU. Is there any solution to save all required
packets in the resulting PCAP file, which allows for proper dissection later
on?
Thanks in advance for your help
Regards
Gerd Windisch