24
3
How can I filter out traffic that is not HTTP in Wireshark, so that it shows me only HTTP traffic, but not, TCP, DNS, SSDP, etc.
sashoalm
Posted 2014-05-01T22:42:28.350
Reputation: 2 680
Show only HTTP traffic in Wireshark
Answers
32
In the filter field, type http (lowercase!). Tested with WireShark Portable 1.10.7
Some basic filters
!httpshows all traffic which is NOT httpip.src != 196.168.1.1shows traffic which is NOT from this IP sourceip.dst == 196.168.1.1shows traffic to this IP destinationip.addr == 196.168.1.1shows all traffic which has the specific IP as source OR destination
nixda
Posted 2014-05-01T22:42:28.350
Reputation: 23 233
what if you only see protocol: 0x0800 – SuperUberDuper – 2019-09-17T11:55:26.497
ie I want to filter by http and don't see it – SuperUberDuper – 2019-09-17T11:56:17.087
1OK, it's working, but it shows both http and ssdp fields, which is strange. When I tried typing just "ssdp", it said no such protocol exists. – sashoalm – 2014-05-01T23:03:23.367
What wireshark version do you use? The wireshark wiki says, that you cannot filter for SSDP. Workaround is udp.dstport == 1900 && http
Version 1.8.2. Also, when I typed "tcp" for filter, it showed TCP, TLSv1.1 and HTTP fields. – sashoalm – 2014-05-01T23:07:33.883
If you type "tcp" as the filter, it'll show all TCP traffic, whether it's HTTP running over TCP, SSL/TLS running over TCP, or something else running over TCP. – None – 2014-05-02T21:42:41.037
5
To exclude SSDP/UDP: http && tcp
Credit: http://www.emtek.net.nz/blog/2013/03/17/wireshark-filter-http-only-exclude-ssdp-or-udp/
Johann
Posted 2014-05-01T22:42:28.350
Reputation: 451
I have been trying to figure that one out for ages. Thanks! – Arnoud Buzing – 2015-04-07T20:10:57.047
1
If you want to filter "ip address" and e.g. "http protocol" you have to input:
ip.src==192.168.109.217&&http
without spaces between.
Bettelbursche
Posted 2014-05-01T22:42:28.350
Reputation: 11
1HTTP traffic usually IS TCP traffic; it's not as if HTTP and TCP are at the same network layer. The Protocol column just shows the topmost protocol layer Wireshark understands; if a TCP packet just has an ACK and no data, or Wireshark doesn't know how to dissect the data, it'll show it as TCP, but if it does know how to dissect it, it'll show that protocol. – None – 2014-05-02T21:41:43.460