8
I'm trying to filter traffic only to a given HTTP host name. I have a server, and I have dozens of websites on it. It only has one interface and one IP address. Thus filtering to my IP address is not helpful here.
Say for example I have a.com, b.com, c.com, ..., z.com sites on my server, and I only need to capture traffic of a.com, even sometimes a specific path of that site, like a.com/register.
Please note that I'm not talking about Display Filters, rather I need to apply a Capture Filter.
How can I do that? None of these filters work for me:
tcp port 80 and host a.com
host a.com
tcpdump host a.com
The problem with display filter is that, log file gets REALLY REALLY HUGE after just a little amount of capture. Because display filters only show a subset of what has been captured. On the other side, capture filters only capture what is necessary. Is there any way to capture traffic to a website only? For example, do we have access to stuff like process name, or other stuff to help filter to a single website? – Saeed Neamati – 2015-10-12T07:29:45.873
"For example, do we have access to stuff like process name, or other stuff to help filter to a single website?" No, we don't. – None – 2015-10-12T07:31:33.503
@SaeedNeamati Of course, you can still use both display and capture filters. If that is not sufficient, you’re out of luck. The pcap library does not parse payloads, it only looks at headers. – Daniel B – 2015-10-12T07:35:14.593
But @DanielB, in WireShark's website it's claimed that capture filters have the same syntax as
– Saeed Neamati – 2015-10-12T07:43:14.453tcpdump
utility. And there it has a link to this page, which shows some samples of how to filter, and again in that page you can see this example: *To print all packets arriving at or departing from sundown: *tcpdump host sundown
Yeah. Nowhere does it indicate this is related to HTTP in any way. Because it isn’t. It simply matches IP (or other protocol) headers. HTTP packets are regular TCP packets. They don’t have special headers you could match. – Daniel B – 2015-10-12T07:54:06.800