Saturday, January 29, 2011

How to filter http traffic in Wireshark?

I suspect my server has a huge load of http requests from its clients. I want to measure the volume of http traffic. How can I do it with Wireshark? Or probably there is an alternative solution using another tool?

This is how a single http request/response traffic looks in Wireshark. The ping is generated by WinAPI funciton ::InternetCheckConnection() alt text

Thanks!

From serverfault par

  • Ping packets should use an ICMP type of 8 (echo) or 0 (echo reply), so you could use a capture filter of:

    icmp

    and a display filter of:

    icmp.type == 8 || icmp.type == 0

    For HTTP, you can use a capture filter of:

    tcp port 80

    or a display filter of:

    tcp.port == 80

    or:

    http

    Note that a filter of http is not equivalent to the other two, which will include handshake and termination packets.

    If you want to measure the number of connections rather than the amount of data, you can limit the capture or display filters to one side of the communication. For example, to capture only packets sent to port 80, use:

    dst tcp port 80

    Couple that with an http display filter, or use:

    tcp.dstport == 80 && http

    For more on capture filters, read "Filtering while capturing" from the Wireshark user guide, the capture filters page on the Wireshark wiki, or pcap-filter (7) man page. For display filters, try the display filters page on the Wireshark wiki. The "Filter Expression" dialog box can help you build display filters.

    par : Sorry, I have forgot to mention the details of the "ping" request. This is Windows way of pinging. It seems icmp has no relation to my case.
    par : See the screenshot of the ping in Wireshark I just have attached
    Simeon Pilgrim : I changed the question from 'ping' to 'http' so you answer will not make sense in context, but I +1 because it's a good ping answer.
    From outis

  • It's not a ping. A ping, as already said by outis, is an ICMP echo request. Your trace displays the establishment and immediate termination of an HTTP connection, and that's what InternetCheckConnection() does. The IP in question, 77.222.43.228, resolves to http://repkasoft.com/, which, I guess, is the URL you pass to InternetCheckConnection().

    You can filter traffic with this IP by using capture or display filter host == 77.222.43.228.

    From $pageUsers[$post.author].name

  • Using Wireshark 1.2+ , I would run this batch file:

    :: Script to save a wireshark trace
:: tshark -D to get interface id
@echo off
C:
cd C:\Temp\NetTracing
set PATH=%PATH%;C:\Program Files\Wireshark
echo Tracing host 127.1 or 172.1.1.1 or 10.0.0.1

tshark.exe -i 4 -a duration:900 -S -f "tcp port 80" -w trace.cap
    From djangofan
Posted by Ku XI at 5:32 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)