How can I filter out traffic that is not HTTP in Wireshark, so that it shows me only HTTP traffic, but not, TCP, DNS, SSDP, etc.
Asked
Active
Viewed 6.7k times
26
-
1HTTP traffic usually *IS* TCP traffic; it's not as if HTTP and TCP are at the same network layer. The Protocol column just shows the topmost protocol layer Wireshark understands; if a TCP packet just has an ACK and no data, or Wireshark doesn't know how to dissect the data, it'll show it as TCP, but if it does know how to dissect it, it'll show that protocol. – May 02 '14 at 21:41
3 Answers
34
In the filter field, type http (lowercase!). Tested with WireShark Portable 1.10.7
Some basic filters
!httpshows all traffic which is NOT httpip.src != 196.168.1.1shows traffic which is NOT from this IP sourceip.dst == 196.168.1.1shows traffic to this IP destinationip.addr == 196.168.1.1shows all traffic which has the specific IP as source OR destination
-
1OK, it's working, but it shows both http and ssdp fields, which is strange. When I tried typing just "ssdp", it said no such protocol exists. – sashoalm May 01 '14 at 23:03
-
What wireshark version do you use? The wireshark wiki says, that [you cannot filter for SSDP](http://wiki.wireshark.org/SSDP). Workaround is `udp.dstport == 1900 && http` – nixda May 01 '14 at 23:03
-
Version 1.8.2. Also, when I typed "tcp" for filter, it showed TCP, TLSv1.1 and HTTP fields. – sashoalm May 01 '14 at 23:07
-
If you type "tcp" as the filter, it'll show all TCP traffic, whether it's HTTP running over TCP, SSL/TLS running over TCP, or something else running over TCP. – May 02 '14 at 21:42
-
-
5
To exclude SSDP/UDP: http && tcp
Credit: http://www.emtek.net.nz/blog/2013/03/17/wireshark-filter-http-only-exclude-ssdp-or-udp/
Johann
- 631
- 1
- 8
- 16
1
If you want to filter "ip address" and e.g. "http protocol" you have to input:
ip.src==192.168.109.217&&http
without spaces between.
Bettelbursche
- 11
- 1