6

I'm using Wireshark on OSX, but I can't make any sense out of the filtering system.

I have this filter set up:

enter image description here

But when I hit that server, I don't see anything show up in the capture log. If I remove the filter, I see all sorts of network traffic. The network request I am doing is to

https://lowdown.secure.omnis.com

from an iOS application in the iOS simulator. The service receives the request, and I get a response. But I don't know how to filter these out of all the noise in Wireshark.

Improve this question
2
  • You can filter for the IP (ping the server to get it) with ip.addr == 123.123.2.1. Dont you have to use == instead of eq?
    – nixda
    Commented Nov 15, 2014 at 23:33
  • That works, Jake. Drop it in as an answer. :)
    – Almo
    Commented Nov 15, 2014 at 23:36

1 Answer 1

Reset to default
10

You can filter on a HTTP host on multiple levels. At the application layer, you can specify a display filter for the HTTP Host header:

http.host == "example.com"

At the transport layer, you can specify a port using this display filter:

tcp.port == 80

At the network layer, you can limit the results to an IP address using this display filter:

ip.addr == 93.184.216.34

These display filters can also be combined:

ip.addr == 93.184.216.34 and tcp.port == 80

Finally you can set a capture filter which controls the data that gets saved to a capture file. Capture filters must be set before capturing, you can open a dialog for this by double-clicking the interface name when no capture is active. This one causes a lookup of example.com and returns IP packets matching that host:

host example.com
Improve this answer
1
  • Thanks for the answer. When I get back to it, I'll test this then accept the answer. :)
    – Almo
    Commented Dec 17, 2014 at 18:56

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .