There are many packets captured by wireshark and it uses lots of memory. I just want to capture HTTP packets, how can I do that? I understand you can just type asked 02 May '14, 06:48  tttttttttttt2 edited 02 May '14, 06:48 |
One Answer:
What you need to use are capture filters, not display filters. Capture filters are applied on the interface you start the capture on and will only accept packets that match the filter. The syntax is different from display filters (it's using the TCPDump syntax instead), so to filter on port 80 you'd use the string "tcp port 80" as a capture filter. answered 02 May '14, 06:54  Jasper ♦♦ showing 5 of 16 show 11 more comments |
@Jasper: do you not know something?
how to add more filters? for example eapol?
Capture filter syntax is getting really complicated if you try to filter on things that are not very low level, so I rarely use anything beyond IP and port filters. I have no idea how to filter eapol, but maybe Google can help ;-)
i just want to capture all the http traffic, but it requires eapol handshakes to decrypt it.
In that case you'll probably have to live with capturing all of it and filter it out later I'm afraid.
@Jasper how many millions of packets can i catch before it exists? i guess it depends on the resources?
As many as your disk has room for. See my blog post at http://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem on how to do it best.
@Jasper why doesn't tcp port 80 or ether proto 0x888e work :( shows only eapol first 4 packets
If the packets are encrypted (which I guess they are) the capture filter will not be able to match "tcp port 80" because it needs them to be clear text for that.
I understand and that's why I added
or ether proto 0x888ewhich should add handshakes :( but instead it shows JUST handshakes and not http requestsWireshark does not decrypt packets at the time of the capture to see if capture filters match. Capture filters are applied to the raw frames coming in, so if they are encrypted the filter will not match. Decryption happens later, so only display filters will be able to match.
Oh, got it, it makes sense now. It's so sad that there's no filter that would apply handshake first.
@Japer I will apply
not arp and port not 53 and not broadcast and not multicastto remove unnecessary packets. What else could I remove?Hard to say, it depends on what's on your network ;-)
@Jasper: I mostly see just 802.11 and tcp protocols. But it's much better than before, it'd be great if it were possible to remove 802.11 and/or tcp.
It is probably possible, but I don't have anything to test it, especially without knowing what your traffic really looks like. You'll either have to try&error or live with the results you get, and filter the rest later through display filters.