How to I add a wireshark filter to record only HTTP requests and not responses?

0	How to I add a filter to record only HTTP requests and not responses? include asked 10 Jul '12, 05:01 sorin 6●3●3●5 accept rate: 0%

One Answer:

oldest newest most voted

filter to RECORD only HTTP requests

well, that's not easy. One option would be to use tshark

tshark -i eth0 (or 1,2,3,4... on windows) -R "http.request"

However that will only print the result to STDOUT. You cannot write a pcap file with -w, at least not with the current releases of tshark/wireshark.

However, with a little "trick", you can import the tshark output.

tshark -i eth0 (or 1,2,3,4... on windows) -R "http.request" -x > http_request.txt

In Wireshark

File -> Import

Select http_request.txt and you will get only the requests in Wireshark.

HOWEVER: I would rather capture everything and then (later) use a display filter (http.request) in Wireshark to only display the http requests. Maybe you want to know the answer for some requests ;-)

Regards
Kurt

link

answered 11 Jul '12, 07:16

Kurt Knochner
8.8k●5●20●77
accept rate: 15%

edited 11 Jul '12, 07:39

Your answer

toggle preview

community wiki

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

include ×2

Asked: 10 Jul '12, 05:01

Seen: 405 times

Last updated: 11 Jul '12, 07:39

How to I add a wireshark filter to record only HTTP requests and not responses?

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions