Ask Your Question

What the display filter to only see traffic for a particular website?

asked 2019-02-23 19:19:08 +0000

yakinharoon gravatar image

When I enter in the browser. I would like to see everything related to For instance,

  1. DNS for
  2. TCP handshake for
  3. HTTP GET request
edit retag flag offensive close merge delete


So you want the TCP handshake, and the TCP get request, but not any ACK-only packets, in the TCP connection to

Guy Harris gravatar imageGuy Harris ( 2019-03-21 20:18:08 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2019-02-26 00:07:17 +0000

updated 2019-03-21 19:43:42 +0000


This is how I do it but there are probably other (better?) ways.

Capture all traffic when you are browsing to the website.

When you are done close your browser and then stop the capture.

You'll need to use display filters to all the information.


Use this display filter to find the DNS queries and answers for the domain: contains "

(Deprecated using dns contains after reading Jim's comment.)

There are probably a lot of DNS for a site like Yahoo so if you want everything you need to make a note of every IP addresses in the answer field of every DNS packets.


You can now display all TCP SYN segment with this filter.

(tcp.flags.syn == 1) && (tcp.flags.ack == 0)

You need to find the TCP stream index where the destination IP address matches the IP address from the DNS answer.

You may build a more complex filter using the IP addresses you found to (somewhat) automate this process.

ip.dst in {} && (tcp.flags.syn == 1) && (tcp.flags.ack == 0)

You can then find all the TCP stream indexes of all the Yahoo related TCP conversations.

This will include HTTP/HTTPS.


Display everything with a new display filter.

dns contains || in {10 20 30}

Hope this helps.



edit flag offensive delete link more

answered 2019-03-21 15:40:37 +0000

Zaaf gravatar image

updated 2019-03-21 16:24:27 +0000

DNS for use dns contains

TCP handshake for TCP hand shake will be with what ever ip address is resolved against Remember these days opening a webpage is not a tcp threeway handshake with single resolved ip address. I have seen multiple tcp sessions for single website.

HTTP GET request contains ""

I have just opened yahoo and it was https so use ssl.handshake.extensions_server_name == ""

so the possible combination for display filter will be

dns contains || contains "" || ssl.handshake.extensions_server_name == ""

edit flag offensive delete link more


Two answers have recommended using the display filter "dns contains".

This will not work because host names in DNS queries and responses are encoded. "" is not stored in the packet. What is actually stored is "3www5yahoo3com0"

What will work is " contains "" or """

"dns contains" compares to the actual values stored in the packet. " contains" or "" compares the the dissected value. "3www5yahoo3com0" is dissected as "" but that's not what's actually stored in the packet.

Jim Aragon gravatar imageJim Aragon ( 2019-03-21 18:42:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-02-23 19:19:08 +0000

Seen: 11,120 times

Last updated: Mar 21 '19