In my browser I connect to www.superuser.com In wireshark filter I want to access to those packet which I receive from this web site. what is that filter?
Note : I do not want to use ip address.
1 Answer
According to Wireshark Wiki filter
host www.stackexchange.com
should work. If not, there's a thread in Wshark forum that suggests format
ip.dst_host www.superuser.com
which worked for asker there.
answered Dec 14, 2014 at 13:12
-
-
@alex Wireshark needs to resolve the name www.superuser.com to an IP because the string
www.superuser.comis nowhere in your captured packets. So, it is not possible to filter for www.superuser.com without resolving the name to an IP first (e.g via hosts file)– nixdaCommented Dec 14, 2014 at 13:49 -
Sorry my bad, didn't have wshark to test with just then... now I did. The filter needs to be in usual Wshark format ip.dst_host == stackexchange.com. There shouldn't be a need to resolve with hosts file, as there's standard DNS resolution before the actual HTTP packet goes. The DNS name is in the payload of the HTTP packet. According to the wiki ip.dst_host is a valid filter, and Wshark accepts it. However I get no results using it either as capture or display filter, so it might be the filter is broken. Note that the display filter reference mentions neither ip.dst nor ip.dst_host. Commented Dec 14, 2014 at 14:15
-
Well, I too tested it before commenting and it didn't show something either. So I assumed it has to do something with name resolving, like your thread also said– nixdaCommented Dec 14, 2014 at 14:18
-
I just tested by editing the host file. No difference. So either this filter works differently than other Wshark filters, or it is indeed broken. Commented Dec 14, 2014 at 14:25