asked on

WIRESHARK CAPTURE FILTER PROBLEM

Why can't I get my Wireshark capture filter to return only HTTP GET requests? I've reviewed many web pages with ideas, but they don't work, I can nail it down to just tcp on port 80 with the http get, but can't filter out those tcps.

I've checked the following websites and successfully implemented other capture filters, just not what I need! Here's a couple out of the many resources I looked at.

http://openmaniak.com/wireshark_filters.php
http://74.125.47.132/search?q=cache:qPTCArYYJcoJ:wiki.wireshark.org/CaptureFilters+%22capture+http+filter+syntax%22&hl=en&gl=us&strip=1

Anyone help?

rowansmith

Are you trying to build a capture filter - which applies on the interface when you are listening to packets, or a display filter - which is applied to the packet capture after you have captured the packets?

Gillat

ASKER

A capture filter. I can do this with a display filter, but want to do it with the capture filter. Thanks.

ASKER CERTIFIED SOLUTION

rowansmith

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Gillat

ASKER

That worked! Thank you so much. I think I understand how you arrived at the tcp [20:4], but what are the figures following the =?

rowansmith

0x47455420 = "GET "

including the space, you have to match on 4 byte boundaries, would be a real pain if the GET was acutally "GP" for Get Page :-) lucky they thought of that when developing the HTTP Protocol :-) NOT!!! I guess some things are just meant to be.

0x47 = G
0x45 = E
0x54 = T
0x20 = SPACE

Gillat

ASKER

Again, thanks for explaining - I now get it that its a character string. Appreciate your help. Have a good one!