how to filter by protocol in wireshark 2.2.7
Andrew Henderson 
I am trying to show only HTTP traffic in capture window in last version of Wireshark, but I cannot figure out what is the syntax in capture filter.
I have tried suggestions for old versions of Wireshark but with no success.
I have this current filter:
ip host 192.168.0.201Meaning that I want to capture packets from and to that ip address. I need to add HTTP protocol condition. I have tried "ip host 192.168.0.201 http", "ip host 192.168.0.201 and ip.proto == 'http', and a lot of other combinations but none worked.
EDIT:
This is the actual capture session, so that you can figure out what the problem is:
Regards Jaime
44 Answers
Based on your comments, if you only want to filter HTTP POST or GET messages you could use the following filter:
http.request.method == GET or http.request.method == POST and ip.host == 192.168.0.201Tested with 2.2.6
You can filter on IP address and port with ip.addr==192.168.0.201 and tcp.port==8080 to display only packets to TCP port 8080. If, you want to be more specific regarding the HTTP traffic, i.e., you only want to see packets where the method is GET or POST you could use http.request.method == method, e.g., http.request.method == GET, instead of tcp.port==8080.
Since there isn't a straightforward answer to the original question, maybe this helps others. If you want to filter to only see the HTTP protocol results of a wireshark capture, you need to add the following filter:
httpYep, that's it. In the case in the above question, that means setting the filter to:
ip.addr==192.168.0.201 and httpNote that what makes it work is changing ip.proto == 'http' to http
Just try this, it works.
ip.addr == 192.168.2.11 and tcp
Put the style in the wireshark filter, it will filter the tcp protocol. Very simple.
3
