When I use display filter for HTTP it shows only HTTP packets when HTTP message is on standard port i.e. on port 80. But, when message is not using standard port, then display filter not works for HTTP and I need to filter for TCP and then need to find out HTTP packets manually.
I want to know why this happen? Is it standard behavior or I am doing (or expecting) it wrongly.
Thanks.
If you still haven't captured any relevant HTTP traffic, then maybe you were capturing on the wrong interface, or maybe the traffic wasn't HTTP at all but HTTPS, in which case you will have to look for the relevant TCP connection carrying the encrypted SSL (TLS) traffic instead of the unencrypted HTTP traffic.
Observe the traffic captured in the top Wireshark packet list pane. To view only HTTP traffic, type http (lower case) in the Filter box and press Enter. Select the first HTTP packet labeled GET /. Observe the destination IP address.
To see the HTTP packets only, enter “HTTP” in the “Filter” text field towards the top-left. Then, under the main menu, click on the start icon (the first icon) to start capturing packets. Refresh the page. Once Wireshark displays the HTTP packets for your website request, stop the capture by clicking on the stop icon.
I had to enable the HTTP protocol by doing the following:
"Analyze -> Enabled Protocols"
This solution was for version 1.12.2 (and disabled by default in version 2.0.2) but should work for any variant of version 1 and 2.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With