Wireshark-users: [Wireshark-users] Method to accomplish the equivalent of "http.content_length >
I have a periodic need to identify object downloads in http traces. This is
easily accomplished by setting the display filter (http.response.code == 200).
Some traces, however, may contain large numbers of tiny and (for my purposes)
inconsequential objects, so I would like to be able to additionally apply
something like (http.content_length > nnnn) to return only the larger
reassembled objects.
This does not work, however, because (I believe) that Wireshark treats the
value of http.content_length as a string, not an integer, so the "greater-than"
functionality does not apply. Interestingly, the filter editor / syntax checker
does let me build and apply such a filter, but the results seem random,
returning a mix of http 200 frames whose content lengths are larger and smaller
than the value of nnnn.
Is there a way to accomplish what I am trying to do? Is there a reason that
greater-than is allowed on non-numerical fields? Is there some way to leverage
this which I am not seeing?
Alternatively, is there any other way to accomplish something similar? For
example, it would be great if there were a way to accomplish something
logically similar to (tcp.reassemble_size > nnnn).
The latter approach would actually be useful in several other cases I can think
of, as well.
Thanks in advance for any insights.
