Hello,
I want to know how to display only the responses to a matched http requests.
When I put the filtre http.request.uri contains "/URL" I get only the requests I want to show also the response to all this requets.
Thank you in advance.
Regards
Wireshark generates fields to correlate HTTP requests and responses, so you can do this with a little work.
Apply a display filter of "http.request && !http.request.uri contains "/URL" Note the "!". You are displaying all the requests whose responses you are not interested in.
Click on Edit > Ignore All Displayed.
Now to display the responses you are interested in, apply the display filter "http.request_in".
To see the requests and their matched responses use "http.request && http.request_in".
Based on the information you added in your comment, to find all the responses that had a response code other than 200, the display filter would be: "http.request_in && !http.response.code==200".
Not that easy to get only responses as the response doesn't carry the request URI so you are looking for an association between packets, i.e. the packets that have the frame number that's in the http.response_in field in the request. That would be a good enhancement request to add the request URI as a generated field to the response, raise it over here.
In the UI, you can expand the HTTP tree in the packet details pane for requests displayed by your filter and then click on the `[Response in frame: xxx] field to jump to the response.
If you use tshark and some scripting you can use -T fields -e http.response_in along with your filter to get a list of the response frames that match your request filter and then create a filter from that list, e.g. -f 'frame.number == x || frame number == y ... to then output the response frames.
Asked: 2018-12-07 07:55:41 +0000
Seen: 42,494 times
Last updated: Dec 07 '18
