This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Website Specific Filter

0

What would be the method to filter traffic to show a conversation with a specific website? I want to examine the conversation that occurs not between a server and my own machine, but rather all content from a specific website and my machine. It is seen when trying to do this with a simple Port/IP filter you end up filtering out a massive part of the conversation, specifically all content hosted on external servers. Furthering the problem, you'll find after time a website will begin serving you content from a different one of its own servers, making it difficult to pin down your data. Ultimately, I am aiming to extract TCP and SSL (port 80, 443) data to calculate packet interarrival times.

asked 26 Feb '16, 10:37

AGauvin's gravatar image

AGauvin
1111
accept rate: 0%

1

It is not fully clear (at least to me) what exactly you want to achieve.

By starting no other application but Wireshark and the web browser, and then using just a single window in the browser towards a single web page, you should be reasonably sure that all the http and https connections you capture are related to that site. The most complex part is the discrimination between "own servers" of the website and the "different ones".

So if I read you right and you want to see all traffic from a particular domain (like e.g. free.fr), regardless what the IP addresses of the various servers in that domain are, you need to look first at the DNS responses using a display filter like (dns.flags.response == 1) and (dns.qry.name contains "free.fr") and then to http/https communication with the IPs returned in those DNS responses. However, some companies use several domain names, so this method of telling apples from pears is not 100% reliable.

Wireshark includes a powerful tool allowing you to associate DNS requests and responses with consequent http(s) conversations called MATE, which should allow you to filter even not decrypted https sessions by server hostname, yet it only makes sense to discuss its use once you are sure you can unambiguously identify the domain names you are interested in.

Also, bear in mind that DNS records have expiration times of hours, so be sure that after reboot, you start capturing before you visit the site you are interested in for the first time. If you'd visit it before starting the capture, the DNS response would be cached and a new DNS request would not be sent the next time you'd open the website.

(26 Feb '16, 14:37) sindy