When I use display filter for HTTP it shows only HTTP packets when HTTP message is on standard port i.e. on port 80. But, when message is not using standard port, then display filter not works for HTTP and I need to filter for TCP and then need to find out HTTP packets manually.
I want to know why this happen? Is it standard behavior or I am doing (or expecting) it wrongly.
asked 07 Nov '13, 22:22
It is normal behavior. If you want to be able to use the "http" filter for HTTP traffic on non-standard ports you need to tell Wireshark that it IS in fact http on that port. You can do that in the preferences of the HTTP protocol decoder (there's a list of ports that you can edit).
answered 07 Nov '13, 23:16
edited 08 Nov '13, 03:17