This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

packet filtering ‘YouTube’ using Wireshark

0

Thanks for reading guys.

I am a student studying network & security.

I and my group were given a task to packet filter 'youtube' video traffics and we came out with

following method from reading number of threads in wireshark forum and our own research.

However, we are not confident with our methods and we would like to ask for your advice.

All of our team members are using Windows 7 and Chrome web browser for this task.

** filter : tcp.port == 443 or tcp.port == 80

We used HTTPS protocol and we included tcp.port == 80 since we found packets on port 80 which we assume were related to youtube video we were trying to packet filter. We combined this filter with frame.number filter in order to identify the first SYN packet and the last Pakcet in order to only capture between those two designated SYN packets. This was because we thought analysing packets during Flow Completion Time is the correct method of packet filtering youtbe video streaming.

Please correct us if we are wrong.

Your answers would be much appreciated :)

asked 20 Nov '14, 19:44

Snowleopard's gravatar image

Snowleopard
16115
accept rate: 0%

edited 21 Nov '14, 09:29


One Answer:

1

Filtering for tcp port 80 and 443 will get you all packets that are HTTP or HTTPS, meaning that you get more than just Youtube.

To filter just Youtube traffic you'd either need to filter on HTTP GET commands containing the partial URL "youtube.com" ("http.request" family of filters, with "contains" operator), or you need to identify the network range of YouTube and include a ip range filter, like "ip.addr==w.x.y.z/maskbits". The latter would also work if you can't see the URL parameter when connection user is encrpyted, but it can be a challenge to find all network ranges used by YouTube.

answered 22 Nov '14, 03:59

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%