Hi,
I have a pcap with multiple POST and GET requests in it. Lets say this
is the format:
===================
Frame a --- GET blah-a1
Frame b --- GET blah-b1
Frame b --- GET blah-b2
Frame b --- POST blah-b3
Frame c --- POST blah-c1
===================
(I guess some kind of HTTP Pipelining is going on here)
Now, I want to get the frame numbers and the the URIs for all packets
in which either a GET or a POST request has been sent. So I wrote this
filter:
tshark -T fields -e frame.number -e http.request.uri -r FILENAME.pcap
-R "http.request.method contains GET || http.request.method contains
POST"
But this filter ends up returning:
===================
Frame a --- GET blah-a1
Frame b --- POST blah-b3
Frame c --- POST blah-c1
===================
The two other requests within Frame b are missing (Frame b --- GET
blah-b1 and Frame b --- GET blah-b2). It seems that the filter has to
be modified to get these, but how?
Any reading material that I should go through to get this right?
thanks,
Deapesh.