FAQ

How do I create a packet capture filter to capture HTTP GET requests?

FAQ ID:    FAQ1793
Version:    1.0
Status:    Published
Published date:    01/03/2012
 

Answer

The following information is taken in part from the Wireshark Wiki page on capturing HTTP GET requests (wiki.wireshark.org/CaptureFilters). 

Here is the filter:

port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2)+8:4] = 0x20323030)

The filter above has 3 main parts:

  • port 80
  • tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
  • tcp[((tcp[12:1] & 0xf0) >> 2)+8:4] = 0x20323030

The first part is to only capture TCP or UDP port 80. Most common for a transparent HTTP environment.
The second bullet restated says "TCP offset 47455420" which is literally "GET " (G, E, T, space)
The third bullet is offset by 8 bytes and is for an HTTP response. A typical HTTP response will start with "HTTP/1.1 200 OK". The first 8 characters are "HTTP/1.1" so the 20323030 is " 200".

This filter is very powerful on a very busy ProxySG, as sometimes there is enough data traversing the proxy to only capture a few seconds before hitting the 100 MB limit. By using the filter above, you can gather only GETs with valid, new content responses. The values can be changed by replacing with the data you want. Instead of "GET " you could use the hex values for "HEAD" or "POST". Responses are the same. You could specify "304" or "500" by determining what the hex values for those items is.

You can also add things like DNS by adding another port:
(port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2)+8:4] = 0x20323030)) or port 53


To use this on a ProxySG, either enter the command line entry as follows (take note to use quotation marks):
#pcap filter expr "port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2)+8:4] = 0x20323030)"

Alternatively, in the UI go to Maintenance > Service Information > Packet Captures and enter just the filter you want into the filter section (quotation marks are not needed).

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question