This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Getting the request URL for a reassembled PDU

1

I am writing a lua script to process json responses. What I have so far follows below. My script runs for each json response returned from the server; it's based off one of the examples.

The problem I have is that some of the responses are identical to each other, but the interpretation of the data is context dependent. The context is the API URL that was used to make the request.

I haven't been able to figure out how to get the http request URL from the stream from which the reassembled PDU is gathered. Is that possible?

Here's an example stream:

0.255611 192.168.1.156 -> 192.168.1.4 HTTP 226 POST /api/stats.json HTTP/1.1  (application/x-www-form-urlencoded)
0.359587 192.168.1.4 -> 192.168.1.156 TCP 60 http > 5195 [ACK] Seq=1 Ack=787 Win=7982 Len=0
0.664189 192.168.1.4 -> 192.168.1.156 TCP 1406 [TCP segment of a reassembled PDU]
...
1.107964 192.168.1.4 -> 192.168.1.156 HTTP 1187 HTTP/1.1 200 OK  (application/json)

At the time my script is called on the 200 OK packet, on the reassmebled PDU, the http fields for request uri are all empty. I need to discover that this json object is a result of /api/stats.json.

do
    packets = 0;

local response_fe = Field.new("http.response") local request_version_fe = Field.new("http.request.version") local response_code_fe = Field.new("http.response.code") local response_phrase_fe = Field.new("http.response.phrase")

local function init_listener() local tap = Listener.new("http", "http.content_type contains "json"")

local count = 0

function tap.reset() packets = 0; end

function tap.packet(pinfo, tvb, ip) local response = response_fe() local request_version = request_version_fe() local response_code = response_code_fe() local response_phrase = response_phrase_fe()

– Get a table of fields fields = { all_field_infos() }

– Print the name of every field for i, field in ipairs(fields) do count = count + 1 print(count .. " name: " .. tostring(field.name) .. " len: " .. tostring(field.len) .. " offset: " .. tostring(field.offset) .. " value: " .. tostring(field.value):sub(1, 40)) end

packets = packets + 1 end

function tap.draw() print("Packets: ", packets) end end init_listener() end

asked 06 Dec ‘11, 02:17

studog's gravatar image

studog
16224
accept rate: 0%