Ask Your Question
0

Capture Filter - Exclude URL Containing Certain String

asked 2019-03-28 21:00:59 +0000

Is it possible to use a capture filter to exclude traffic to a given path? The problem I'm faced with is trying to determine hits to a web server but only for certain web applications, excluding a particular one.

Ex.

I want to see traffic on google.com/blah I do not want to see traffic on google.com/bloop

I understand capture filters are more limited than display filters but I'd like to limit the size and overhead of the initial capture by only capturing traffic I want to see. The endgoal is to determine individual IPs making requests to this website, excluding traffic to a given X-Original-URL path.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-03-29 21:32:05 +0000

Ross Jacobs gravatar image

updated 2019-03-30 17:20:30 +0000

Capture filters will not be able to do this unless you can specify a different IP address for the server. The problem is that capture filters use a more limited syntax. Capture filters can differentiate source/dest IP and name based on different subdomains/IP addresses. google.com/blah and google.com/bloop; however, both point to the same server. More info can be found on this Stackoverflow question. If somehow there is a different server involved (let's say google.com/drive redirects to drive.google.com), then you can use a capture filter like dst drive.google.com.

Edited: To limit the scope to capture filters

edit flag offensive delete link more

Comments

This is a Display filter, not a capture filter.

Jaap gravatar imageJaap ( 2019-03-30 08:11:51 +0000 )edit

Thanks for the catch @Jaap. Edited question to reflect this.

Ross Jacobs gravatar imageRoss Jacobs ( 2019-03-30 17:04:10 +0000 )edit
1

In particular, they're limited not to be able to do anything involving a loop (so no arbitrary string pattern-matching) or involving string pattern-matching.

Guy Harris gravatar imageGuy Harris ( 2019-03-30 18:26:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-03-28 21:00:59 +0000

Seen: 47 times

Last updated: Mar 30