| Thanks Martin, but I will have to hand over the WWW to Gerald as he has posted a filter like "tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0xXXXXXXXX" before on this list.... I just reused it and added a little bit of my own ;-)
Cheers,
Sake On 4 mrt 2010, at 03:37, Martin Visser wrote: Sake,
With that capture filter you get to take the Wireshark Wizard Wand home for the whole week!!!
On a serious note, is libpcap able to process that filter efficiently ( I am sure it is much better than using a display filter)
Regards, Martin MartinVisser99@xxxxxxxxx
On Thu, Mar 4, 2010 at 8:42 AM, Sake Blok <sake@xxxxxxxxxx> wrote:
Or if your capturing device is capable of interpreting tcpdump style filters (or more accurately, BPF style filters), you could use:
tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] = 0x2030
Which in English would be: - take the upper 4 bits of the 12th octet in the tcp header ( tcp[12:1] & 0xf0 ) - multiply it by four ( (tcp[12:1] & 0xf0)>>2 ) which should give the tcp header length
- add 8 ( ((tcp[12:1] & 0xf0) >> 2) + 8 ) gives the offset into the tcp header of the space before the first octet of the response code - now take two octets from the tcp stream, starting at that offset ( tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] )
- and verify that they are " 0" ( = 0x2030 )
Of course this can give you false positives, so you might want to add a test for "HTTP" and the start of the tcp payload with:
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450
resulting in the filter:
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 and tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] = 0x2030
A bit cryptic, but it works, even when TCP options are present (which would mess up a fixed offset into the tcp data).
Cheers,
Sake
On 3 mrt 2010, at 18:17, Abhijit Bare wrote: Hi John,
Can you use "http/1.1" string as an indicator of response code? Only HTTP response packets have "http/1.1" or "http/1.0" (case can be upper) followed by a <space> followed by http response code (look for one digit). If you can parse this out while stream is coming in and that digit is "0", will that mean that you have found the packet? HTTP request also has "http/1.1", but there is generally no space and digit following it. Other traffic may not have the same pattern too.
Thanks,
Abhijit
On Tue, Mar 2, 2010 at 5:09 AM, Sheahan, John <John.Sheahan@xxxxxxxxxxxxx> wrote:
Good points Martin.
You’re right about there being no HTTP response code of 0.
The software that the web guys use to analyze the front end web
traffic will put a “0” in if it finds a packet that has an http accept and for
some reason the HTTP response code is missing or unreadable and these are the
packets that I’m trying to capture however there is so much HTTP traffic on the
web segment that my buffer fills up in seconds so I need to try and narrow it
down with a filter.
The only things I have to go by are:
1.
Sometimes the HTTP Response code can’t be read. 2.
The problem seems to come from Safari browsers on MAC machines
Since the User Agent data comes after a variable length Accept
field as you point out, wouldn’t be easier for me at this point to filter on
just Accept messages? I think if I do it this way, it will take a good amount
of time to fill up the buffer and I can look to the web admins to tell me when
they see the error in their logs and match it up that way?
Thanks for the help
John
John,
This is a bit tricky. Firstly I don't believe that there is
a HTTP response code (or status code) with a value of "0"
Also the HTTP "User-Agent" is going to
go out in the request, and is not seen in the response. So whatever you do
needs to be "stateful" knowing that the response is associated with a
particular requests.
Also I don't think there is a guarantee and on the
"offset" in a packet where the response code will be and almost
certainly not for the "User-Agent" string as it usually
preceded by the "Accept" string which is quite variable amongst
browsers.
However you can use the Wireshark "Packet Bytes"
pane (usually at the bottom of the window) to see if you cand devise something
that is a "good enough" filter to limit what you capture and then
refine it further with Wireshark to do it properly.
Regards, Martin
MartinVisser99@xxxxxxxxx
On Tue, Mar 2, 2010 at 11:36 AM, Sheahan, John <John.Sheahan@xxxxxxxxxxxxx>
wrote:
Another way for me to track this problem down is
for me to sniff all Safari browsers on MAC’s using HTTP coming into our
webservers.
I will need to create a filter using the offset values
for:
HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10_4_11; en)
Can anyone help me this together?
Thanks
john
I
am trying to troubleshoot an HTTP problem where the StatusCode=0 in the HTTP
header.
I need to capture packets containing this parameter but since I am doing it on
a Netscout probe, I have no way to figure out the offset of this in a packet.
Can
anyone tell me what hex offset I would need to put in as a filter to capture
these packets?
Thanks
John
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe |
