How to filter by protocol in Wireshark 2.2.7?
29,645
Based on your comments, if you only want to filter HTTP POST or GET messages you could use the following filter:
http.request.method == GET or http.request.method == POST and ip.host == 192.168.0.201
Tested with 2.2.6
Related videos on Youtube
Author by
jstuardo
Updated on September 18, 2022Comments
-
jstuardo over 1 year
I am trying to show only HTTP traffic in the capture window of Wireshark but I cannot figure out the syntax for the capture filter.
I have tried suggestions for old versions of Wireshark but with no success.
I have this current filter:
ip host 192.168.0.201
Meaning that I want to capture packets from and to that IP address. I need to add a filter to see only HTTP traffic.
I have tried:
ip host 192.168.0.201 http
ip host 192.168.0.201 and ip.proto == 'http'
- and a lot of other combinations but none worked.
This is the actual capture session, so that you can figure out what the problem is:
-
Kirill2485 almost 7 yearsDid you try entering the actual port number of HTTP (port 80) instead of 'http'
-
jstuardo almost 7 yearsPort is 8080.... but I don't want to filter by port but by protocol... protocol http means methods Get or Post.. when I don't filter by protocol, I get entries with http and tcp protocols, both using sale port 8080. Since tcp entries are the most, I need to filter them.
-
Kirill2485 almost 7 yearsIf you just want to monitor GET and POST requests a website, the Chrome developer tools let you do that. Just press F12 and go to "Network"
-
jstuardo almost 7 yearsNo....you cannot suppose this is a PC. This is actually a device that sends requests to a website and receive responses from it. That traffic is what I need to monitor. That is the reason I need a tool such as Wireshark.
-
jstuardo almost 7 yearsThis does not meet the requirement. I can do that, but I can only see the GET and POST request made by 192.168.0.201. I also need to capture the server response. For example, When the device sends a GET or POST request, the server responds with an OK or depending on the requested command, That is why I need to capture HTTP protocol. Please see my question edit. You can see there the request and the OK sent by the server. You will also see a lot of TCP entries that belongs to the acknowledge mechanism of the transport protocol.
-
jstuardo almost 7 yearsI used this capture filter "host 192.168.0.201 and (port 8080 or port 80)" but it also capture TCP entries because they occur also in 8080 port. Please see my question edit.
-
jstuardo almost 7 yearsI have finally used this display filter: "http"... and it works. However, it also captures error packets, which are displayed in red in Wireshark. Is there a way to filter that?
-
mtak almost 7 yearsOh I'm sorry. I just read "protocol http means methods Get or Post...". I don't really agree with that statement, but that's what you asked for... I'm sorry to have wasted your time with my obviously wrong answer.
-
moonpoint almost 7 years@jstuardo, to eliminate the ones with errors, try adding
and not _ws.expert.severity==error
to the filter you are using - expert.severity==error works for me with Wireshark 1.10.14 on a Linux system, but you may need to use_ws.expert.severity==error
for your version. I have to use the latter version with Wireshark 2.2.5 on my MacBook Pro laptop. -
bertieb about 5 yearsWelcome to Super User! Can you edit your answer to explain what you are suggesting and why it works? Cheers
-
Victor Choy about 5 yearsPut the form in wireshark, it will filter the tcp protocol. Very simple. I don't understand why you downvote my answer. @bertieb
-
bertieb about 5 yearsI didn't downvote your answer, and I cannot speak for whoever did. However you could improve this answer but editing it and adding an explanation, particular why someone should use this variant rather than the others suggested. Cheers