This is our old Q&A Site. Please post any new questions and answers at

I am running CentOS v5.8 64bit. What are the correct capture and display filters to use in TShark to monitor and trace HTTP/HTTPS traffic similar to what is provided by HTTPWatch?

Also, what is the safest value to use for snaplen if I only want the following information below:

  • Number
  • Time
  • Absolute Date and Time
  • Source IP Address
  • Source FQDN
  • Source Port
  • Destination IP Address
  • Destination FQDN
  • Destination Port
  • Protocol
  • URL

Thank you in advance.

asked 06 Aug '12, 17:27

bintut's gravatar image

accept rate: 0%

The safest snaplength to use would be 0 (to capture whole frames), as the URL might be very long and not fit within one packet. So you might need TCP reassembly and that only works when whole frames are captured.

The for the correct display and capture filters, HTTP watch is a different tool and it works differently. If all your HTTP traffic is on port 80, you can use the capture filter "tcp port 80". But of course it will give you the whole TCP session, including acks etc. If you just want to see the http-requests and responses, you can use the display filter "http.request or http.response" after capturing.

permanent link

answered 12 Aug '12, 05:34

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Thank you for your answer. I just created a new question which is not specific to HTTP or HTTPS and you can find it at

(26 Aug '12, 19:45) bintut
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 06 Aug '12, 17:27

question was seen: 14,222 times

last updated: 26 Aug '12, 19:45

p​o​w​e​r​e​d by O​S​Q​A