Filtering HTTP traffic in Wireshark is a fairly trivial task but it does require the use of a few different filters to get the whole picture.
Many people think the http filter is enough, but you end up missing the handshake and termination packets.
To start this analysis start your Wireshark capture and browse some HTTP sites (not HTTPS). FoxNews.com is a good one because they have a very large site that loads a lot of information and (at the time of writing this) they have not switched to HTTPS, sadly.
Wireshark HTTP Protocol Filter
To display packets using the HTTP protocol you can enter the following filter in the Display Filter Toolbar:
You’ll notice that all the packets in the list show HTTP for the protocol.
The unfortunate thing is that this filter isn’t showing the whole picture. You’re missing the setup handshakes and termination tcp packets.
To display all the HTTP traffic you need to use the following protocol and port display filter:
tcp.dstport == 80
Now you’ll see all the packets related to your browsing of any HTTP sites you browsed while capturing.
Filtering HTTP Traffic to and from Specific IP Address in Wireshark
If you want to filter for all HTTP traffic exchanged with a specific you can use the “and” operator. If, for example, you wanted to see all HTTP traffic related to a site at xxjsj you could use the following filter:
tcp.port == 80 and ip.addr == 220.127.116.11
Notice only packets with 18.104.22.168 in either the source or destination columns is shown. You can also use the OR or || operators to create an “either this or that” filter.
tcp.port == 80 || ip.addr == 22.214.171.124
Wireshark HTTP Method Filter
If you want to dig into your HTTP traffic you can filter for things like GET, PUT, POST, DELETE, HEAD, OPTIONS, CONNECT, and TRACE. To filter for these methods use the following filter syntax:
http.request.method == requestmethod
For example, if you wanted to filter for just the GET requests, enter the following filter in the Display Filter toolbar:
http.request.method == “GET”
Now you’re left with all of the GET requests for assets from the website.
Viewing HTTP Packet Information in Wireshark
Working with the GET Method Filter displayed above, click on a packet in the Packet List Pane and then look at the information in the Packet Details Pane. Expand the Hypertext Transfer Protocol detail:
Now you can see the information about the request such as Host, User-Agent, and Referer.
Expand the GET to reveal even more information such as the URI and HTTP Request Version.
Wireshark HTTP Response Filter
One of the many valuable bits of information in a HTTP conversation is the response. This is the code a website returns that tells the status of the asset that was requested. You’ve probably seen things like Error 404 (Not Found) and 403 (Forbidden). These are HTTP responses and only a couple of the many that exist.
To filter for all responses enter the following display filter:
Notice to the right of the protocol version information there is a column of numbers. These are your response codes. We only see 200 in my example which means the HTTP request was successful.
To filter for a specific response, such as a HTTP 200 (OK), HTTP 301 (Moved Permanently), or HTTP 404 (Not Found) use the following display filter:
http.response.code == 200
Change 200 to another code to search for that code. Here is a list of HTTP Status Codes.
Follow the Full HTTP Stream to Match Get Requests with Responses
A very handy feature of Wireshark is the ability to view streams in a human readable format from beginning to end. To this, pick a HTTP protocol packet such as the packet containing the 200 response that we saw earlier and right click on it. Click on Follow -> HTTP Stream.
You’ll now be presented with a window that shows the entire stream including the GET (red) and HTTP/1.1 200 OK (Blue)
As you can see, there is a lot to HTTP traffic and just filtering for the HTTP protocol doesn’t cut it.
If you really want to put the whole picture together when troubleshooting problems with accessing websites you have to take a multi-pronged approach.
Recommended for You: Solarwinds Network Performance Monitor (NPM)Do you know the health of your networking equipment? Know when something goes down before a user reports problems? Know where your bandwidth is going or where you’re losing your packets?
Automate data collection and alerting of your networking infrastructure with Solarwinds NPM so you know exactly what is going on in your network and can sleep easy.
Unlike other tools, NPM is ready to out of the box with most common makes and models of networking equipment. No messing around with custom templates, xml files, or code to extract important information.