Why can't i capture HTTP on Wireshark?

My question is about capture of the traffic on Wireshark.

I have installed the Linux Wireshark and captured the HTTP traffic from a web server. When I look at the capture, I don't see any of the information which was transferred in HTTP request-reply (HTTP GET/POST) messages. However, when I click on the "Web Sessions" tab, I can see all the packets which were transmitted. Why is this? Because you're not trying to capture HTTP traffic, you're trying to capture raw packets. You can see the difference in a capture of two different webpages, for example. The one that's on a web server, and the one that's on a desktop web browser.

Wireshark will show you the headers, but it will not show you the content of the response (unless you filter on the HTTP header, as you've done). You'll get the content of the response if you capture the whole packet (ie all the traffic, not just the headers), because that's what Wireshark is designed to do. You can't capture HTTP packets (or any other protocol packet) with Wireshark. You can only capture raw packets. To capture HTTP packets, you will have to install an HTTP sniffer like tcpdump, libpcap, Wireshark or Netcat. What you are seeing are only the protocol headers, and not the body of the HTTP message. To capture HTTP, you need to capture the entire packet, which you are unable to do by filtering out the HTTP header.

How do I capture network traffic?

If you want to capture traffic from a specific process, you can use Wireshark to do this.

This will require that the process has certain ports open and listening on the network, and will capture all traffic in the selected ports.

For example, you can capture all traffic from the process using the following command: sudo tcpdump -i eth0 port 80. If you want to capture traffic from a specific process, but don't know what ports to monitor, you can use Wireshark to filter to the process you want to capture traffic from. For example, to capture all traffic from all processes running on my machine: sudo tcpdump -i eth0 -s0 -w ~/Desktop/net-capture. The -s0 will capture packets for a very long time and -w ~/Desktop/net-capture will save it to that directory. Wireshark is the most flexible and powerful tool for capturing traffic, so if you want to read more about how to use it, here is a good tutorial.

How to capture HTTP traffic in Wireshark?

How do I capture HTTP traffic in Wireshark?

I have a LAN (192.168.0/24) using a Cisco 3750 switch and need to know which host is going into which port and the traffic in the packets are HTTP (and SSL, in case required by server). So far, my attempts at setting up port mirroring on Cisco switch, followed by trying to setup an external capture (on the server side) with port mirroring as the packet sink just don't work. Tried wireshark on both switch and server to see if it's possible at all. No good.

You can use either an ethernet to ethernet port connection or an ethernet to IP connection, but it needs to be setup properly. For an IP connection you could use iptables to filter out the local traffic and send all other types to a tap.

For example you could try this script with this setup: #!/bin/sh. Trap "restart" SIGTERM. # Setup all ports. Iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --destination-port 80 -j DNAT --to 1:22. Iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --destination-port 443 -j DNAT --to 1:22. # Setup tap2drop. Iptables -t nat -A POSTROUTING -s 192.0/24 -o eth0 -d 224.251 -j SNAT --to 192.0/24
/etc/init.d/firewall stop If this configuration does not work correctly for you can check this guide where they show how to set up the above setup to allow access for all LAN clients from the server's IP, to just a specific client's from that IP range.