This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“HTTP” in packet list frame vs. display filter

0

I start Wireshark, then browse to a couple of websites, and voila, HTTP packets start showing up in the packet list frame. Then I stop the capture (or not), and type "http" in the display filter, and nothing passes the filter. However, "tcp port 80" does give me the packets labeled HTTP (along with a bunch of other stuff). 1. What am I misunderstanding about how display filters work? 2. How can I filter to get just HTTP packets, and not other packets involving "tcp port 80"?

asked 20 Oct '15, 09:41

vparunak's gravatar image

vparunak
1111
accept rate: 0%

1

It works on my system, so:

  • what is your OS and OS version
  • what is your Wireshark version
  • What's the color of the display filter field after you type http
(20 Oct '15, 10:15) Kurt Knochner ♦

OS: Mac OSX Yosemite 10.10.5 WS: 2.0.0rc1 (I know it's development, but Yosemite doesn't have Quartz to run 1.12.x) Color: green

Thanks for your help!

(20 Oct '15, 10:18) vparunak

I can try it this evening. 2.0.0rc1 on Mac, if you want.

(20 Oct '15, 10:45) Christian_R

2 Answers:

0

Same here on Windows 7 with 2.0.0rc1. I'd say it's a bug.

Please try one of the lastest automatic builds

https://www.wireshark.org/download/automated/

Regards
Kurt

answered 20 Oct '15, 10:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 20 Oct '15, 10:28

So: if I do the dance needed to install 1.12, it should work OK?

(20 Oct '15, 10:35) vparunak
1

It works on my system, and I've never heard of such problems with the current stable releae. That's all I can say. So, in general this would translate to: yes.

(20 Oct '15, 10:38) Kurt Knochner ♦

I tried 2.1, and that seems to work fine. Thanks for the excellent help.

(20 Oct '15, 12:25) vparunak

good!

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(20 Oct '15, 12:26) Kurt Knochner ♦

0

The display filter "http" will only match packets that have data in them. Wireshark treats all higher-level (above TCP) protocols this way. If it runs over port 80 and has data in it, it's an HTTP packet. If the packet does not have any data in it, then it doesn't matter that it runs over port 80. Wireshark identifies it as simply TCP. So the display filter "http" will not show empty packets: TCP connection establishment, acknowledgments, connection termination. If you want to see all packets in a web browsing session, then "tcp.port==80" (or whatever port was used) is a better display filter.

But besides that, beginning with version 1.12.0, Wireshark does not always correctly identify HTTP packets. This is a known bug: See the answer to this question.

Edit: Having now tried this in 2.0.0rc1, I see that this is new behavior which seems to be a different bug from the one I described.

answered 20 Oct '15, 11:47

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 31 Mar '16, 22:00

Thanks, that gives me some context.

(20 Oct '15, 12:23) vparunak

Well my try has looked like the described bug. But I am not 100% sure, because I can´t reproduce it.

(20 Oct '15, 12:32) Christian_R