8

How do I filter for HTTP 500 responses and their requests in Wireshark?

I'm able to use http.response.code == 500 to find all the responses which got the return code 500 but I want to be able to see the requests of those responses, too.

Update: I want to do this automatically so that I can set up a tshark.exe instance to record one day and only save the interesting HTTP traffic (there is a WEBDAV running on the same server with a lot of traffic that does not interest me).

Second Update: Since I mainly wanted to record messages that were sent to a WebService and not the WEBDAV, I used http.content_type contains "text/xml" to filter for xml based messages. This is not 100% what I was looking for but generates small enough logs for further debugging.

Martin
  • 250
  • 1
  • 5
  • 11

1 Answers1

10

I believe you will have to put a capture filter for all HTTP traffic, and then put in a display filter for the http.response.code == 500
After you have found a response code, remove the display filter and then use the Follow TCP Stream -or- the Conversation Filter to find the related packets...

Scott Lundberg
  • 2,364
  • 2
  • 14
  • 22
  • 2
    @Scott Lundberg thanks for the hint but I need to do this automatically which I suppose is not possible with your solution – Martin Apr 15 '10 at 07:14
  • @mutzel: If I understand your update, you are looking for a trigger (response code in this case) that will start your capture and then using the basis for the trigger, only capture that conversation? If so, then no, Wireshark will not be able to do that for you as it doesn't have triggers... – Scott Lundberg Apr 16 '10 at 14:58
  • yes, some kind of a trigger would have been nice. Or may be a filter based on conversations and not packages. So that I could filter for every conversation containing an HTTP 500. – Martin Apr 19 '10 at 14:12