This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Not filtering out WPA setup packets in capture filter?

0

Hello!

So, I am able to view/decrypt packets over my WPA network as long as I captured the setup packets. However, there are a TON of broadcast packets that junk up the captured packets. I'm just interested in the HTTP traffic. Filtering works fine, but I would much rather set up a capture filter so my logs stop getting so huge and hard to manage. But if I do some sort of HTTP capture filtering (e.g. port 80), I never get the capture packets so don't even know if it IS HTTP traffic... How do I fix this?

Thanks!

asked 30 Aug '13, 18:25

orisqu's gravatar image

orisqu
11224
accept rate: 0%


One Answer:

0

But if I do some sort of HTTP capture filtering (e.g. port 80), I never get the capture packets so don't even know if it IS HTTP traffic... How do I fix this?

You can't as the traffic is encrypted and as you already realized, there is no way to know if an encrypted packet contains a HTTP frame. Therefore you cannot build a capture filter for HTTP traffic.

To reduce at least some traffic, you can filter on the MAC address of the AP and your client. See my answer to a similar (kind of) question.

http://ask.wireshark.org/questions/24107/filter-capture-based-on-80211-signal-strength

Regards
Kurt

answered 31 Aug '13, 15:17

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%