I "inherited" a custom sniffer program that is capturing traffic using libpcap. When I try to use display filters such as "http.request" and "http.response", no traffic is displayed in Wireshark. However, when I just use "http", I see all of the packets I would expect. Can anyone give me some hints as to what I should be looking at more closely at this custom code that would affect the ability to use these filters? I'm not a libpcap expert asked 28 Oct '11, 11:36 dturkel |
3 Answers:
Another option: Your sniffer program limits the capture to the first 68 bytes of the frame. Then you'll have http, but the dissector is unable to parse an http request or response field. Hence the http display filter works, http.request and http.response don't. answered 29 Oct '11, 11:13 Jaap ♦ |
libpcap doesn't use Wireshark display filters, it uses capture filters. It seems that your custom sniffer appends your filter string to "port ", then feeds it to libpcap. That way "port http" results in BPF filter code, while compilation of "port http.request" and "http.response" does not. answered 28 Oct '11, 15:08 Jaap ♦ Thanks Jaap. What I'm trying to do is select/display a capture from the custom sniffer in Wireshark, applying the display filter "http.response". The custom sniffer does not apply any filters (which is desired, because there are quite a few other non-http filters that need to be applied as well (e.g. for SMB and other higher-level protocols). (28 Oct '11, 15:55) dturkel |
libcap does not accept wireskark filters but tcpdump filters. Look at justniffer for an example of sniffer using libcap libraries answered 03 Nov '11, 04:13 Augustyn |
The same thought occurred to me this morning over coffee. There was an option to provide the number of bytes to capture, and I increased this... and bingo, problem solved. Thanks very much!