how to filter by protocol in wireshark 2.2.7

I am trying to show only HTTP traffic in capture window in last version of Wireshark, but I cannot figure out what is the syntax in capture filter.

I have tried suggestions for old versions of Wireshark but with no success.

I have this current filter:

ip host 192.168.0.201

Meaning that I want to capture packets from and to that ip address. I need to add HTTP protocol condition. I have tried "ip host 192.168.0.201 http", "ip host 192.168.0.201 and ip.proto == 'http', and a lot of other combinations but none worked.

EDIT:

This is the actual capture session, so that you can figure out what the problem is:

Regards Jaime

wireshark

jstuardo

Posted 2017-06-30T21:36:58.890

Reputation: 201

Did you try entering the actual port number of HTTP (port 80) instead of 'http' – Kirill2485 – 2017-06-30T21:53:10.590

Port is 8080.... but I don't want to filter by port but by protocol... protocol http means methods Get or Post.. when I don't filter by protocol, I get entries with http and tcp protocols, both using sale port 8080. Since tcp entries are the most, I need to filter them. – jstuardo – 2017-06-30T22:29:17.347

If you just want to monitor GET and POST requests a website, the Chrome developer tools let you do that. Just press F12 and go to "Network" – Kirill2485 – 2017-07-01T00:28:29.833

No....you cannot suppose this is a PC. This is actually a device that sends requests to a website and receive responses from it. That traffic is what I need to monitor. That is the reason I need a tool such as Wireshark. – jstuardo – 2017-07-01T00:34:46.897

Answers

Based on your comments, if you only want to filter HTTP POST or GET messages you could use the following filter:

http.request.method == GET or http.request.method == POST and ip.host == 192.168.0.201

Tested with 2.2.6

mtak

Posted 2017-06-30T21:36:58.890

Reputation: 11 805

This does not meet the requirement. I can do that, but I can only see the GET and POST request made by 192.168.0.201. I also need to capture the server response. For example, When the device sends a GET or POST request, the server responds with an OK or depending on the requested command, That is why I need to capture HTTP protocol. Please see my question edit. You can see there the request and the OK sent by the server. You will also see a lot of TCP entries that belongs to the acknowledge mechanism of the transport protocol. – jstuardo – 2017-07-01T15:16:33.853

Oh I'm sorry. I just read "protocol http means methods Get or Post...". I don't really agree with that statement, but that's what you asked for... I'm sorry to have wasted your time with my obviously wrong answer. – mtak – 2017-07-02T14:43:53.127

You can filter on IP address and port with ip.addr==192.168.0.201 and tcp.port==8080 to display only packets to TCP port 8080. If, you want to be more specific regarding the HTTP traffic, i.e., you only want to see packets where the method is GET or POST you could use http.request.method == method, e.g., http.request.method == GET, instead of tcp.port==8080.

moonpoint

Posted 2017-06-30T21:36:58.890

Reputation: 4 432

I used this capture filter "host 192.168.0.201 and (port 8080 or port 80)" but it also capture TCP entries because they occur also in 8080 port. Please see my question edit. – jstuardo – 2017-07-01T15:19:48.720

I have finally used this display filter: "http"... and it works. However, it also captures error packets, which are displayed in red in Wireshark. Is there a way to filter that? – jstuardo – 2017-07-01T18:18:03.510

@jstuardo, to eliminate the ones with errors, try adding and not _ws.expert.severity==error to the filter you are using - expert.severity==error works for me with Wireshark 1.10.14 on a Linux system, but you may need to use _ws.expert.severity==error for your version. I have to use the latter version with Wireshark 2.2.5 on my MacBook Pro laptop.

– moonpoint – 2017-07-02T18:50:38.557

-2

Just try this, it works.

ip.addr == 192.168.2.11 and tcp

Put the style in the wireshark filter, it will filter the tcp protocol. Very simple.

Victor Choy

Posted 2017-06-30T21:36:58.890

Reputation: 97

Welcome to Super User! Can you [edit] your answer to explain what you are suggesting and why it works? Cheers – bertieb – 2019-04-03T09:01:42.583

Put the form in wireshark, it will filter the tcp protocol. Very simple. I don't understand why you downvote my answer. @bertieb – Victor Choy – 2019-04-03T11:51:29.460

I didn't downvote your answer, and I cannot speak for whoever did. However you could improve this answer but [edit]ing it and adding an explanation, particular why someone should use this variant rather than the others suggested. Cheers – bertieb – 2019-04-03T14:20:47.847