Wireshark - Filter for Inbound HTTP Requests on Port 80 Only

We are integrating with an outside company in which we have had to make certain IP and port restrictions.

First, I am novice at network administration, so If I butcher anything, please forgive me.

I am using Wireshark to try to catch incoming traffic to my machine and came across a post that used the following filter expression:

(ip.dst_host == 192.168.20.155) || (ip.src_host == 192.168.20.155 && tcp.srcport == 80) && tcp

If I am checking for an inbound HTTP Post on Port 80...would this be sufficient? Furthermore, if I additionally wanted to check inbound HTTPS Posts on Port 443, how would I modify this?

Thanks ahead of time.

Solution 1:

You need to differentiate between capture filters and display filters. The syntax you're showing there is a Wireshark display filter. Display filters are used to filter out traffic from display but aren't used to filter out traffic during capture. You can learn more about Wireshark display filters from the Wireshark wiki.

If you're going to be doing a long-term capture and you want to limit the size of your capture files you'll probably want to use a capture filter. Wireshark capture filters use tcpdump filter syntax, so an article about tcpdump filters will help you out.

To capture only HTTP traffic to/from the host 10.0.0.1, for example, you could use the capture filter host 10.0.0.1 and tcp and port 80. If you wanted that to include HTTPS traffic (TCP port 443) you could modify it to read host 10.0.0.1 and tcp and (port 80 or port 443).

For a display filter to do the same thing w/ HTTP only you'd be looking at ip.addr == 10.0.0.1 && tcp.port == 80. For both HTTP and HTTPS you'd be looking at ip.addr == 10.0.0.1 && (tcp.port == 80 || tcp.port == 443).