How do I get Wireshark to filter for a specific web host?

Answers

You can filter on a HTTP host on multiple levels. At the application layer, you can specify a display filter for the HTTP Host header:

http.host == "example.com"

At the transport layer, you can specify a port using this display filter:

tcp.port == 80

At the network layer, you can limit the results to an IP address using this display filter:

ip.addr == 93.184.216.34

These display filters can also be combined:

ip.addr == 93.184.216.34 and tcp.port == 80

Finally you can set a capture filter which controls the data that gets saved to a capture file. Capture filters must be set before capturing, you can open a dialog for this by double-clicking the interface name when no capture is active. This one causes a lookup of example.com and returns IP packets matching that host:

host example.com

Lekensteyn

Posted 2014-11-15T23:30:20.080

Reputation: 5 236

Thanks for the answer. When I get back to it, I'll test this then accept the answer. :) – Almo – 2014-12-17T18:56:10.230

1What happens when you attempt to use the IP address like this: ip.dst_host eq 216.239.139.240? – JakeGould – 2014-11-15T23:33:13.937

You can filter for the IP (ping the server to get it) with ip.addr == 123.123.2.1. Dont you have to use == instead of eq? – nixda – 2014-11-15T23:33:24.737

That works, Jake. Drop it in as an answer. :) – Almo – 2014-11-15T23:36:54.403