I have a periodic need to identify object downloads in http traces. This is easily accomplished by setting the display filter (http.response.code == 200).
Some traces, however, may contain large numbers of tiny and (for my purposes) inconsequential objects, so I would like to be able to additionally apply something like (http.content_length > nnnn) to return only the larger reassembled objects. This does not work, however, because (I believe) that Wireshark treats the value of http.content_length as a string, not an integer, so the "greater-than" functionality does not apply. Interestingly, the filter editor / syntax checker does let me build and apply such a filter, but the results seem random, returning a mix of http 200 frames whose content lengths are larger and smaller than the value of nnnn. Is there a way to accomplish what I am trying to do? Is there a reason that greater-than is allowed on non-numerical fields? Is there some way to leverage this which I am not seeing? Alternatively, is there any other way to accomplish something similar? For example, it would be great if there were a way to accomplish something logically similar to (tcp.reassemble_size > nnnn). The latter approach would actually be useful in several other cases I can think of, as well. Thanks in advance for any insights. _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
