This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Http Put request capture filter

0

Hello I am looking to capture only PUT requests on my web server. I have seen a filter for GET requests and honestly haven't been able to decipher it down so I can adjust it for my need. the filter i found was: tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

and I tried to adjust it to: tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x50555420

which didn't work because I believe the offset is different between GET and PUT requests. ANy help is appreciated.

asked 05 Aug '15, 14:06

Deesarmy's gravatar image

Deesarmy
6112
accept rate: 0%

What about this filter:
http.request.method==PUT

Is this you need or do you need something more special?

(05 Aug '15, 14:40) Christian_R

There is high levels of traffic on this server so I'm trying to build it into a capture filter. The method above would work for display filters which will work but the syntax for capture filtering is a bit different. I appreciate the reaponse though.

(05 Aug '15, 14:59) Deesarmy

Sorry did not read the word capture in your question.

(05 Aug '15, 15:05) Christian_R

One Answer:

1

There is a tool to generate capture filters based on strings.

https://www.wireshark.org/tools/string-cf.html

PUT /test would translate to:

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x50555420 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x2f746573 && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:2] = 0x7420

Regards
Kurt

answered 10 Aug '15, 08:04

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%