When debugging web services, isolating HTTP 500 errors is crucial - but seeing just the responses isn't enough. We need the complete request-response cycle to properly diagnose issues. While http.response.code == 500 shows error responses, we need a more sophisticated approach to capture the originating requests.
Wireshark's conversation tracking features provide the answer. To capture both sides of problematic exchanges:
http.response.code == 500 || tcp.stream eq http.response.code == 500
This filter combines two conditions:
1. Direct HTTP 500 responses
2. Any packets belonging to TCP streams where 500 responses occurred
For your specific case of running tshark with WEBDAV noise, consider this enhanced filter:
(http.response.code == 500 && http.content_type contains "text/xml") ||
(tcp.stream eq http.response.code == 500 && http.content_type contains "text/xml")
This ensures you only capture:
• XML-based web service traffic
• Both requests and responses
• Only when errors occur
Here's how to implement this in a tshark command for 24-hour monitoring:
tshark -i eth0 -f "port 80" -Y '((http.response.code == 500 && http.content_type contains "text/xml") || (tcp.stream eq http.response.code == 500 && http.content_type contains "text/xml"))' -w webservice_errors.pcap -a duration:86400
For interactive analysis, right-click any 500 response and select "Follow > TCP Stream". This shows the complete exchange in context, with client requests in red and server responses in blue.
When dealing with high-traffic servers, consider these optimizations:
• Add port filtering (tcp.port == 80)
• Limit capture to specific IP ranges
• Use display filters rather than capture filters when possible
• Consider sampling (every Nth packet) if storage is constrained
If your filters aren't working as expected:
1. Verify HTTP packet reassembly is enabled (Edit > Preferences > Protocols > HTTP)
2. Check for HTTPS traffic that needs decryption
3. Confirm timestamps aren't causing stream correlation issues
4. Verify you're capturing full packets (not truncated)
When troubleshooting web services, identifying HTTP 500 errors is crucial, but seeing just the responses isn't enough. Developers need the complete picture - both the failed responses and their triggering requests. In high-traffic environments (like servers running both WebDAV and web services), this becomes particularly important for isolating relevant traffic.
The straightforward filter:
http.response.code == 500only shows server responses. To see the conversation flow, we need to correlate requests with their responses.
Wireshark's http.time filter allows tracking complete transactions:
(http.response.code == 500) || (http.request and http.time >= 5)
This captures:
- All HTTP 500 responses
- Any requests that took longer than 5 seconds to respond (adjustable threshold)
For day-long captures via tshark.exe, use this comprehensive filter that includes TCP stream reconstruction:
((http.response.code == 500) && tcp.stream) ||
(http.request && tcp.stream in {http.response.code == 500})
As noted in the update, when dealing with mixed WebService/WebDAV environments, content-type filtering adds precision:
((http.response.code == 500) && http.content_type contains "text/xml") ||
(http.request && http.content_type contains "text/xml")
For tshark.exe recording sessions, save filtered output with:
tshark -f "tcp port 80" -Y '((http.response.code == 500) ||
(http.request && tcp.stream in {http.response.code == 500}))' -w filtered_capture.pcap
In Wireshark GUI, after applying filters:
- Right-click any packet → Follow → HTTP Stream
- Use Statistics → HTTP → Load Distribution
- Export specific streams via File → Export Specified Packets