When I enter www.yahoo.com in the browser. I would like to see everything related to www.yahoo.com. For instance,
Hi,
This is how I do it but there are probably other (better?) ways.
Capture all traffic when you are browsing to the website.
When you are done close your browser and then stop the capture.
You'll need to use display filters to all the information.
Use this display filter to find the DNS queries and answers for the domain:
dns.qry.name contains "www.yahoo.com
(Deprecated using dns contains www.yahoo.com after reading Jim's comment.)
There are probably a lot of DNS for a site like Yahoo so if you want everything you need to make a note of every IP addresses in the answer field of every DNS packets.
You can now display all TCP SYN segment with this filter.
(tcp.flags.syn == 1) && (tcp.flags.ack == 0)
You need to find the TCP stream index where the destination IP address matches the IP address from the DNS answer.
You may build a more complex filter using the IP addresses you found to (somewhat) automate this process.
ip.dst in {1.2.3.4 5.6.7.8 9.0.1.2} && (tcp.flags.syn == 1) && (tcp.flags.ack == 0)
You can then find all the TCP stream indexes of all the Yahoo related TCP conversations.
This will include HTTP/HTTPS.
Display everything with a new display filter.
dns contains www.yahoo.com || tcp.stream in {10 20 30}
Hope this helps.
Cheers,
JF
DNS for www.yahoo.com use dns contains www.yahoo.com
TCP handshake for www.yahoo.com TCP hand shake will be with what ever ip address is resolved against www.yahoo.com Remember these days opening a webpage is not a tcp threeway handshake with single resolved ip address. I have seen multiple tcp sessions for single website.
HTTP GET request http.host contains "www.yahoo.com"
I have just opened yahoo and it was https so use ssl.handshake.extensions_server_name == "www.yahoo.com"
so the possible combination for display filter will be
dns contains www.yahoo.com || http.host contains "www.yahoo.com" || ssl.handshake.extensions_server_name == "www.yahoo.com"
Two answers have recommended using the display filter "dns contains www.yahoo.com".
This will not work because host names in DNS queries and responses are encoded. "www.yahoo.com" is not stored in the packet. What is actually stored is "3www5yahoo3com0"
What will work is "dns.qry.name contains "www.yahoo.com" or "dns.qry.name=="www.yahoo.com"
"dns contains" compares to the actual values stored in the packet. "dns.qry.name contains" or "dns.qry.name==" compares the the dissected value. "3www5yahoo3com0" is dissected as "www.yahoo.com" but that's not what's actually stored in the packet.
Comments
So you want the TCP handshake, and the TCP get request, but not any ACK-only packets, in the TCP connection to www.yahoo.com?