Hi, im looking for a way to use wireshark to only capture http data. Im doing really long captures that seem to slow my vietual machine nearly to a stop. Is there a way i can set it so it only capturea the http information? I dont just want to filter the info but get it so i only have the http stuff jn the capture. Many thanks for any help. asked 16 Oct '16, 07:21 msriptide |
One Answer:
answered 17 Oct '16, 03:10 SynAck edited 17 Oct '16, 03:10 |
In practical terms, it means a capture filter like
tcp port 80
if the http traffic you are after uses the default port at server side. If it uses other ports, let the capture filter allow packets to/from these tcp ports in as well. However, if you do not know in advance which ports are used, you'd be better off with capturing everything (or at least all tcp packets) using a ring buffer of files in tshark, and then analyze the result files one by one using Wireshark. After the initial analysis, you may filter parts of a single tcp stream from several such files into new files and merge the new ones together to have the whole tcp session in a single file.The problem i have is that is sniffing wireless traffic, if i use port filtering it doesn't capture the handshake and im not getting any data. is there anything else i can do? if i leave it for more than half an hour the files get really large and almost crash my system
Can you move to wired capture? With encrypted wireless, you will only be able to single out data or qos-data frames until you perform the decryption step. Plus you can't be 100% sure you will always be able to decrypt - there is a non-zero probability that you will have packet loss so you may miss one or more EAPOL frames, and not be able to decrypt for that session (until the next session timeout occurs or whatever).
I would work really hard to move to wired capture mechanism and use a capture filter as @sindy suggested.
Also Wireshark should NOT be your long term capture solution. Due to the ever-increasing memory consumption, it's the wrong tool. Look at dumpcap, tcpdump, or windump for long term capture. I limit my wireless capture files to 200MB, and post process with various tshark commands to strip out things that I may want.