Ask Your Question
0

Capture only HTTP protocol

asked 2020-01-31 22:53:56 +0000

Nilaru gravatar image

Is there a capture filter that will capture only HTTP packets on port 80? I don't need/want the associated TCP packets, I am trying to make the capture as small as possible.

I have tried basic "host x.x.x.x and port http" but it still includes TCP packets. I have tried a display filter of just "http", but it still includes the TCP packets.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-02-01 03:36:08 +0000

Chuckc gravatar image

Wireshark man pages: https://www.wireshark.org/docs/man-pa...

Capture filtering is handled by libpcap, and its documentation is part of the libpcap distribution. pcap-filter - Capture filter syntax

To select all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
edit flag offensive delete link more

Comments

You could also experiment with packet lengths.

greater length
True if the packet has a length greater than or equal to length. This is equivalent to:
len >= length.
Chuckc gravatar imageChuckc ( 2020-02-01 03:37:17 +0000 )edit

(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) is probably better than looking at the full packet length, as the full packet length includes the link-layer header - even for Ethernet, the link-layer header could include VLAN headers, so it's not guaranteed to be "14 bytes of link-layer header followed by the IP header). The other formula calculates the TCP payload length.

(And I need to add stuff to the capture filter syntax to make it easier to 1) get the transport-layer payload length and 2) test data in that payload. Oh, and character-string and byte-string comparisons.)

Guy Harris gravatar imageGuy Harris ( 2020-02-01 04:03:37 +0000 )edit

By way of explanation to the original poster: all the packets to and from port 80 are probably TCP packets. The ones you don't need or want are the ones that don't contain any data, just the TCP header; bubbasnmp's example checks the length of the TCP payload, which is "total length of IP datagram - length of IP header - length of TCP header" ("total length of IP datagram" is fetched from a field in the IP headers and doesn't count the length of the link-layer header).

Guy Harris gravatar imageGuy Harris ( 2020-02-01 04:07:02 +0000 )edit

I have tried a display filter of just "http", but it still includes the TCP packets.

What's happening there is probably that an HTTP request or response doesn't fit in a single TCP packet ("segment"), and Wireshark reassembles the segments and displays the request or response with the last segment, marking the preceding segments as just "TCP" (probably with some comment about being part of a reassembled packet).

You do want those - you need all the segments that make up an HTTP request or response in order to see the full request/response - and bubbasnmp's filter expression will capture them.

Guy Harris gravatar imageGuy Harris ( 2020-02-01 04:09:41 +0000 )edit

The data I am capturing is from a security camera, which is sending video data over port 80. So I have massive amounts of packets marked as TCP, no syn/ack packets, and about 10 packets marked as HTTP.

I am able to use the display filter http.request.full_uri (just found this recently) to display only the packets I need. I'm still looking for an equivalent capture filter.

Nilaru gravatar imageNilaru ( 2020-02-03 17:59:00 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-01-31 22:53:56 +0000

Seen: 7,055 times

Last updated: Jan 31 '20