First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Capture Filter - Exclude URL Containing Certain String

Is it possible to use a capture filter to exclude traffic to a given path? The problem I'm faced with is trying to determine hits to a web server but only for certain web applications, excluding a particular one.

Ex.

I want to see traffic on google.com/blah I do not want to see traffic on google.com/bloop

I understand capture filters are more limited than display filters but I'd like to limit the size and overhead of the initial capture by only capturing traffic I want to see. The endgoal is to determine individual IPs making requests to this website, excluding traffic to a given X-Original-URL path.

burritoman's avatar
1
burritoman
asked 2019-03-28 21:00:59 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Capture filters will not be able to do this unless you can specify a different IP address for the server. The problem is that capture filters use a more limited syntax. Capture filters can differentiate source/dest IP and name based on different subdomains/IP addresses. google.com/blah and google.com/bloop; however, both point to the same server. More info can be found on this Stackoverflow question. If somehow there is a different server involved (let's say google.com/drive redirects to drive.google.com), then you can use a capture filter like dst drive.google.com.

Edited: To limit the scope to capture filters

Ross Jacobs's avatar
71
Ross Jacobs
answered 2019-03-29 21:32:05 +0000, updated 2019-03-30 17:20:30 +0000
edit flag offensive 0 remove flag delete link
more

Comments

This is a Display filter, not a capture filter.

Jaap's avatar Jaap (2019-03-30 08:11:51 +0000) edit
more
  • delete

Thanks for the catch @Jaap. Edited question to reflect this.

Ross Jacobs's avatar Ross Jacobs (2019-03-30 17:04:10 +0000) edit
more
  • delete
1

In particular, they're limited not to be able to do anything involving a loop (so no arbitrary string pattern-matching) or involving string pattern-matching.

Guy Harris's avatar Guy Harris (2019-03-30 18:26:36 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer