How to display the corresponding response packet when filtering http requests

answered 2024-09-24 12:57:55 +0000

Chuckc
3023 ●6 ●608 ●20

The MATE plugin can group packets.

Below is slightly modified 12.5.2. A GOP for HTTP requests to match only POST requests.

Pdu http_pdu Proto http Transport tcp/ip {
    Extract addr From ip.addr;
    Extract port From tcp.port;
    Extract http_rq From http.request.method;
    Extract http_rs From http.response;
//    DiscardPduData true;
};

Gop http_req On http_pdu Match (addr, addr, port, port) {
    Start (http_rq="POST");
    Stop (http_rs);
};

There was a MATE presentation (unfortunately not recorded) at SharkFest’24 US:

23: Three-dimensional display filters with MATE, by Chuck Craft

Slide 2 shows steps for adding a MATE script and enabling it.
Slide 10 mentions "5. TCP reassembly may cause issues"
Disable (uncheck) the TCP preference "Allow subdissector to reassemble TCP streams" for script above to work.

edit flag offensive delete link

Comments

I have loaded mate as configured. Some information is displayed. But the list doesn't show the corresponding response packet. For example, the response packet for 2292 is 2306。

The picture pasted in the post on top.

gen_tcp ( 2024-09-24 13:26:57 +0000 )edit

Try a filter of mate.http_req which will show all packets that are in http_req Gops.

Chuckc ( 2024-09-24 13:31:37 +0000 )edit

There are no MATE fields for "Start PDU" and "Stop PDU" but you can get there with timestamps:
mate.http_req && ((mate.http_pdu.TimeInGop == 0) || (mate.http_pdu.TimeInGop == mate.http_req.Duration))

Chuckc ( 2024-09-24 13:45:21 +0000 )edit

add a comment

How to display the corresponding response packet when filtering http requests

1 Answer

Comments

Your Answer

Question Tools

Stats

How to display the corresponding response packet when filtering http requests edit

1 Answer

Comments

Your Answer

Question Tools

Stats

How to display the corresponding response packet when filtering http requests