This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there a way to stop capture upon http error 404?

0

I would like to be able to do a free-running capture of all packets until it encounters any HTTP error code 400 and above then for wireshark to stop and save the last 10 minutes of packets? Many thanks in advance for your help!!

asked 28 Jan '15, 09:08

TennisFan's gravatar image

TennisFan
6113
accept rate: 0%


2 Answers:

1

Wireshark has no complex filter driven start/stop mechanism, so this is not supported natively.

What you could do is script something using the command line tools dumpcap and tshark.

answered 28 Jan '15, 12:13

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

Recently I published a batch file, dumpcap.bat on http://wiki.wireshark.org/Tools, which might help you if you're running on the Windows platform. Since the batch file currently only supports dumpcap and thus only capture filters and not Wireshark display filters, it would only be practical to use if the HTTP response codes always appear at the same offset in the TCP payload. That might be true for all 404's, but it's probably not going to be true for every error code greater than or equal to 400.

In case you want to look at it, the following might help you get started - modify settings as needed:


1. Dumpcap runtime priority: NORMAL 2. Dumpcap Mode: Dumpcap+Event ------------------------------[ DUMPCAP OPTIONS ]------------------------------ 3. Interface: TBD 4. Capture file: http404.pcapng 5. Capture filter: tcp port 80 6. Snaplen Use default value 7. Promiscuous mode? Y 8. Buffer size Use default value 9. Use pcapng format? Y Autostop conditions: 10. Stop after <infinite> packets 11. Stop after <infinite> seconds 12. Stop after <infinite> kB 13. Stop after <infinite> files Ringbuffer settings: 14. Switch files after: 600 seconds 15. Switch files after <infinite> kB 16. Ringbuffer max files 2 files ---------------------------[ CAPTURE EVENT OPTIONS ]--------------------------- 17. Event Interface TBD 18. Event capture filter tcp port 80 and tcp[29] = 0x34 and tcp[30] = 0x30 and tcp[31] = 0x34 19. Event count 1 20. Event kills dumpcap? Y 21. Delay before kill/action 0 seconds

You can also enable the mailsend feature if you'd like an e-mail notification of when the event occurs.

I know this isn't as easy as being able to specify a tshark display filter of "http.response.code >= 400", but it might be better than nothing.

answered 04 Feb '15, 07:43

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%