This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how can I tell which images get downloaded from the site vs images requested by user?

0

I have a capture file and I am able to see images that were downloaded but I am trying to differentiate between images that were on the site itself vs images that the user requested to be downloaded from the site. Is there a way to see which images the user requested to save as opposed to just the ones that get downloaded by visiting the site? Thanks

asked 14 Nov '15, 06:04

ccices's gravatar image

ccices
6112
accept rate: 0%


One Answer:

1

which images the user requested to save

A typical browser saves all images to disk, to some directory dedicated to files for temporary use. So you cannot tell whether the user has just viewed an image or "saved" it in terms that they would intentionally press "save" and choose a folder where they would want to put the image file. The http request asking for the image file is exactly the same in both cases.

to differentiate between images that were on the site itself vs images that the user requested to be downloaded

You can, but not very reliably:

  • you may extract the html code, which you can also see in the capture, into a text editor and find links to images in it, which you then compare to the next html requests' targets,
  • you may compare the timestamps of the html requests requesting the html code and requesting the images:
  • if they are close to each other, the images were likely downloaded because the html code contained links to them,
  • isolated (in time) requests to download a single image indicate intentional user activity.

So it may be easier and less time consuming to visit the site and see by your own eyes.

answered 14 Nov '15, 08:41

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 14 Nov '15, 08:43

Thanks for the answer. I am trying to answer the question of whether the user intentionally downloaded the images found in the captured stream. When I export the objects, I see that the html gallery page shows 9 of the 10 images I see in the objects exported. I can't seem to see how the user got the 10th image... Would looking at "referrer" in this case assist me?

(14 Nov '15, 08:45) ccices

Would looking at "referrer" in this case assist me?

Again, not very reliably. In your particular case, if its contents differs between the 10th image and the other 9, it is a hint that the request has been triggered in another way than download of the other 9, but you cannot be 100 % sure what kind of event it was.

(14 Nov '15, 08:59) sindy