Is there a capture filter that will capture only HTTP packets on port 80? I don't need/want the associated TCP packets, I am trying to make the capture as small as possible.
I have tried basic "host x.x.x.x and port http" but it still includes TCP packets. I have tried a display filter of just "http", but it still includes the TCP packets.
Wireshark man pages: https://www.wireshark.org/docs/man-pa...
Capture filtering is handled by libpcap, and its documentation is part of the libpcap distribution.
pcap-filter - Capture filter syntax
To select all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.) tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
You could also experiment with packet lengths.
greater length True if the packet has a length greater than or equal to length. This is equivalent to: len >= length.
(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) is probably better than looking at the full packet length, as the full packet length includes the link-layer header - even for Ethernet, the link-layer header could include VLAN headers, so it's not guaranteed to be "14 bytes of link-layer header followed by the IP header). The other formula calculates the TCP payload length.
(And I need to add stuff to the capture filter syntax to make it easier to 1) get the transport-layer payload length and 2) test data in that payload. Oh, and character-string and byte-string comparisons.)
By way of explanation to the original poster: all the packets to and from port 80 are probably TCP packets. The ones you don't need or want are the ones that don't contain any data, just the TCP header; bubbasnmp's example checks the length of the TCP payload, which is "total length of IP datagram - length of IP header - length of TCP header" ("total length of IP datagram" is fetched from a field in the IP headers and doesn't count the length of the link-layer header).
I have tried a display filter of just "http", but it still includes the TCP packets.
What's happening there is probably that an HTTP request or response doesn't fit in a single TCP packet ("segment"), and Wireshark reassembles the segments and displays the request or response with the last segment, marking the preceding segments as just "TCP" (probably with some comment about being part of a reassembled packet).
You do want those - you need all the segments that make up an HTTP request or response in order to see the full request/response - and bubbasnmp's filter expression will capture them.
The data I am capturing is from a security camera, which is sending video data over port 80. So I have massive amounts of packets marked as TCP, no syn/ack packets, and about 10 packets marked as HTTP.
I am able to use the display filter http.request.full_uri (just found this recently) to display only the packets I need. I'm still looking for an equivalent capture filter.
Comments