How to filter by protocol in Wireshark 2.2.7?

wireshark

29,645

Based on your comments, if you only want to filter HTTP POST or GET messages you could use the following filter:

http.request.method == GET or http.request.method == POST and ip.host == 192.168.0.201

Tested with 2.2.6

29,645

jstuardo

Updated on September 18, 2022

Comments

jstuardo over 1 year
I am trying to show only HTTP traffic in the capture window of Wireshark but I cannot figure out the syntax for the capture filter.

I have tried suggestions for old versions of Wireshark but with no success.

I have this current filter:
```
ip host 192.168.0.201
```
Meaning that I want to capture packets from and to that IP address. I need to add a filter to see only HTTP traffic.

I have tried:
- ip host 192.168.0.201 http
- ip host 192.168.0.201 and ip.proto == 'http'
- and a lot of other combinations but none worked.
This is the actual capture session, so that you can figure out what the problem is:
- Kirill2485 almost 7 years
  
  Did you try entering the actual port number of HTTP (port 80) instead of 'http'
- jstuardo almost 7 years
  
  Port is 8080.... but I don't want to filter by port but by protocol... protocol http means methods Get or Post.. when I don't filter by protocol, I get entries with http and tcp protocols, both using sale port 8080. Since tcp entries are the most, I need to filter them.
- Kirill2485 almost 7 years
  
  If you just want to monitor GET and POST requests a website, the Chrome developer tools let you do that. Just press F12 and go to "Network"
- jstuardo almost 7 years
  
  No....you cannot suppose this is a PC. This is actually a device that sends requests to a website and receive responses from it. That traffic is what I need to monitor. That is the reason I need a tool such as Wireshark.
jstuardo almost 7 years

This does not meet the requirement. I can do that, but I can only see the GET and POST request made by 192.168.0.201. I also need to capture the server response. For example, When the device sends a GET or POST request, the server responds with an OK or depending on the requested command, That is why I need to capture HTTP protocol. Please see my question edit. You can see there the request and the OK sent by the server. You will also see a lot of TCP entries that belongs to the acknowledge mechanism of the transport protocol.
jstuardo almost 7 years

I used this capture filter "host 192.168.0.201 and (port 8080 or port 80)" but it also capture TCP entries because they occur also in 8080 port. Please see my question edit.
jstuardo almost 7 years

I have finally used this display filter: "http"... and it works. However, it also captures error packets, which are displayed in red in Wireshark. Is there a way to filter that?
mtak almost 7 years

Oh I'm sorry. I just read "protocol http means methods Get or Post...". I don't really agree with that statement, but that's what you asked for... I'm sorry to have wasted your time with my obviously wrong answer.
moonpoint almost 7 years

@jstuardo, to eliminate the ones with errors, try adding and not _ws.expert.severity==error to the filter you are using - expert.severity==error works for me with Wireshark 1.10.14 on a Linux system, but you may need to use _ws.expert.severity==error for your version. I have to use the latter version with Wireshark 2.2.5 on my MacBook Pro laptop.
bertieb about 5 years

Welcome to Super User! Can you edit your answer to explain what you are suggesting and why it works? Cheers
Victor Choy about 5 years

Put the form in wireshark, it will filter the tcp protocol. Very simple. I don't understand why you downvote my answer. @bertieb
bertieb about 5 years

I didn't downvote your answer, and I cannot speak for whoever did. However you could improve this answer but editing it and adding an explanation, particular why someone should use this variant rather than the others suggested. Cheers