Wireshark-users: Re: [Wireshark-users] filter for ONLY initial get request
From: "Thierry Emmanuel" <Emmanuel.Thierry@xxxxxxxxxxxxxxx>
Date: Thu, 12 Aug 2010 11:32:43 +0200

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: jeudi 12 août 2010 11:08
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] filter for ONLY initial get request


> The best I have come up with so far is to look only at requested objects of type "text/html" and then look at the referer instead of the host header (and the host header if the referer is empy). But also this is far from perfect. It leaves in false positives and might have some false negatives too. But you can give it a shot to see how it compares to what you already have...

I don't know how you want to use the referrer header. It is filled whether the object were requested by the browser to complete the display of the page or by the user by clicking on a link. The only case it isn't given by the browser is when the user explicitly type an url in the address bar of his favorite browser.

Best regards