 | 1 | initial version |
The MATE plugin can group packets.
Below is slightly modified 12.5.2. A GOP for HTTP requests to match only POST requests.
Pdu http_pdu Proto http Transport tcp/ip {
Extract addr From ip.addr;
Extract port From tcp.port;
Extract http_rq From http.request.method;
Extract http_rs From http.response;
// DiscardPduData true;
};
Gop http_req On http_pdu Match (addr, addr, port, port) {
Start (http_rq="POST");
Stop (http_rs);
};
There was a MATE presentation (unfortunately not recorded) at SharkFest’24 US:
23: Three-dimensional display filters with MATE, by Chuck Craft
Slide 2 shows steps for adding a MATE script and enabling it.
Slide 10 mentions "5. TCP reassembly may cause issues"
Disable (uncheck) the TCP preference "Allow subdissector to reassemble TCP streams" for script above to work.