This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing JUST http filter

0

There are many packets captured by wireshark and it uses lots of memory. I just want to capture HTTP packets, how can I do that? I understand you can just type http in the filter input, but wireshark still captures all the packets.

asked 02 May '14, 06:48

tttttttttttt2's gravatar image

tttttttttttt2
347912
accept rate: 0%

edited 02 May '14, 06:48


One Answer:

1

What you need to use are capture filters, not display filters. Capture filters are applied on the interface you start the capture on and will only accept packets that match the filter. The syntax is different from display filters (it's using the TCPDump syntax instead), so to filter on port 80 you'd use the string "tcp port 80" as a capture filter.

answered 02 May '14, 06:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

@Jasper: do you not know something?

(02 May '14, 06:57) tttttttttttt2

how to add more filters? for example eapol?

(02 May '14, 06:59) tttttttttttt2

Capture filter syntax is getting really complicated if you try to filter on things that are not very low level, so I rarely use anything beyond IP and port filters. I have no idea how to filter eapol, but maybe Google can help ;-)

(02 May '14, 07:01) Jasper ♦♦

i just want to capture all the http traffic, but it requires eapol handshakes to decrypt it.

(02 May '14, 07:03) tttttttttttt2

In that case you'll probably have to live with capturing all of it and filter it out later I'm afraid.

(02 May '14, 07:19) Jasper ♦♦

@Jasper how many millions of packets can i catch before it exists? i guess it depends on the resources?

(02 May '14, 07:35) tttttttttttt2

As many as your disk has room for. See my blog post at http://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem on how to do it best.

(02 May '14, 07:37) Jasper ♦♦

@Jasper why doesn't tcp port 80 or ether proto 0x888e work :( shows only eapol first 4 packets

(02 May '14, 07:58) tttttttttttt2

If the packets are encrypted (which I guess they are) the capture filter will not be able to match "tcp port 80" because it needs them to be clear text for that.

(02 May '14, 08:02) Jasper ♦♦

I understand and that's why I added or ether proto 0x888e which should add handshakes :( but instead it shows JUST handshakes and not http requests

(02 May '14, 08:04) tttttttttttt2

Wireshark does not decrypt packets at the time of the capture to see if capture filters match. Capture filters are applied to the raw frames coming in, so if they are encrypted the filter will not match. Decryption happens later, so only display filters will be able to match.

(02 May '14, 08:07) Jasper ♦♦

Oh, got it, it makes sense now. It's so sad that there's no filter that would apply handshake first.

(02 May '14, 08:08) tttttttttttt2

@Japer I will apply not arp and port not 53 and not broadcast and not multicast to remove unnecessary packets. What else could I remove?

(02 May '14, 08:12) tttttttttttt2

Hard to say, it depends on what's on your network ;-)

(02 May '14, 08:13) Jasper ♦♦

@Jasper: I mostly see just 802.11 and tcp protocols. But it's much better than before, it'd be great if it were possible to remove 802.11 and/or tcp.

(02 May '14, 08:15) tttttttttttt2

It is probably possible, but I don't have anything to test it, especially without knowing what your traffic really looks like. You'll either have to try&error or live with the results you get, and filter the rest later through display filters.

(02 May '14, 08:19) Jasper ♦♦
showing 5 of 16 show 11 more comments