Tjyylli

Gears on left are inverse to gears on right?

Opposite of a diet

Inappropriate reference requests from Journal reviewers

How to pronounce the slash sign

System.debug(JSON.Serialize(o)) Not longer shows full string

Tiptoe or tiphoof? Adjusting words to better fit fantasy races

Do the temporary hit points from the Battlerager barbarian's Reckless Abandon stack if I make multiple attacks on my turn?

Purchasing a ticket for someone else in another country?

Different result between scanning in Epson's "color negative film" mode and scanning in positive -> invert curve in post?

Why didn't Theresa May consult with Parliament before negotiating a deal with the EU?

Do sorcerers' Subtle Spells require a skill check to be unseen?

How can I kill an app using Terminal?

How to be diplomatic in refusing to write code that breaches the privacy of our users

How do I extract a value from a time formatted value in excel?

Why not increase contact surface when reentering the atmosphere?

Did Dumbledore lie to Harry about how long he had James Potter's invisibility cloak when he was examining it? If so, why?

Why are there no referendums in the US?

Would this custom Sorcerer variant that can only learn any verbal-component-only spell be unbalanced?

Sequence of Tenses: Translating the subjunctive

Short story about space worker geeks who zone out by 'listening' to radiation from stars

Valid Badminton Score?

How easy is it to start Magic from scratch?

How to safely derail a train during transit?

Method to test if a number is a perfect power?

http.host filter for tshark capturing

Tshark and proper filterWireshark only capturing beacon framesWireshark only captures packets to or from this deviceCapturing traffic by HTTP host name, not by IP, via WireSharkCapture WiFi traffic from my own networkLarge number of “MAC CTRL” packets - network port defective?Sniff wireless traffic between two machines via Wiresharkhow to filter by protocol in wireshark 2.2.7tshark: only dissect specific packetsUsing wireshark to only capture the traffic between my computer and a specific host

0

I would like to capture traffic to a specific domain name. I tried the following wireshark filter

http.host == 'example.com'

It works, but after a few hours the temp data gets very large, so I tried to use tshark & capture filters to only capture and save the traffic that is going to example.com

tshark -i eth0 -f "Host example.com" -w "/tmp/d.pcap"

However, this is capturing everything.

Is there anyway I can capture only the traffic going to a specific domain name?

wireshark

share|improve this question

edited Oct 7 '14 at 16:53

DavidPostill♦

108k27235270

asked Oct 7 '14 at 16:00

k961k961

1034

bumped to the homepage by Community♦ 15 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

0

I would like to capture traffic to a specific domain name. I tried the following wireshark filter

http.host == 'example.com'

It works, but after a few hours the temp data gets very large, so I tried to use tshark & capture filters to only capture and save the traffic that is going to example.com

tshark -i eth0 -f "Host example.com" -w "/tmp/d.pcap"

However, this is capturing everything.

Is there anyway I can capture only the traffic going to a specific domain name?

wireshark

share|improve this question

edited Oct 7 '14 at 16:53

DavidPostill♦

108k27235270

asked Oct 7 '14 at 16:00

k961k961

1034

bumped to the homepage by Community♦ 15 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

I would like to capture traffic to a specific domain name. I tried the following wireshark filter

http.host == 'example.com'

It works, but after a few hours the temp data gets very large, so I tried to use tshark & capture filters to only capture and save the traffic that is going to example.com

tshark -i eth0 -f "Host example.com" -w "/tmp/d.pcap"

However, this is capturing everything.

Is there anyway I can capture only the traffic going to a specific domain name?

wireshark

share|improve this question

edited Oct 7 '14 at 16:53

DavidPostill♦

108k27235270

asked Oct 7 '14 at 16:00

k961k961

1034

http.host == 'example.com'

tshark -i eth0 -f "Host example.com" -w "/tmp/d.pcap"

share|improve this question

edited Oct 7 '14 at 16:53

DavidPostill♦

108k27235270

asked Oct 7 '14 at 16:00

k961k961

1034

share|improve this question

edited Oct 7 '14 at 16:53

DavidPostill♦

108k27235270

asked Oct 7 '14 at 16:00

k961k961

1034

edited Oct 7 '14 at 16:53

DavidPostill♦

108k27235270

edited Oct 7 '14 at 16:53

DavidPostill♦

108k27235270

asked Oct 7 '14 at 16:00

k961k961

1034

asked Oct 7 '14 at 16:00

k961k961

1034

1 Answer
1

active

oldest

votes

0

Capture filters are case sensitive:

tshark -i eth0 -f "host example.com" -w "/tmp/d.pcap"

share|improve this answer

answered Oct 7 '14 at 16:25

heavydheavyd

51k12124156

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  didnt make any diffrence ... still all packets are captured and saved to disk
  
  – k961
  Oct 7 '14 at 16:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Please remember that the packet filter http.host is not the same as the capture filter host. The capture filter will resolve the DNS name to an IP and capture any traffic to/from that IP.
  
  – heavyd
  Oct 7 '14 at 16:35
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  i want to save only packets that contain the http header (host: example.com) is there any filter for this ?
  
  – k961
  Oct 7 '14 at 16:43
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f822076%2fhttp-host-filter-for-tshark-capturing%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Capture filters are case sensitive:

tshark -i eth0 -f "host example.com" -w "/tmp/d.pcap"

share|improve this answer

answered Oct 7 '14 at 16:25

heavydheavyd

51k12124156

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  didnt make any diffrence ... still all packets are captured and saved to disk
  
  – k961
  Oct 7 '14 at 16:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Please remember that the packet filter http.host is not the same as the capture filter host. The capture filter will resolve the DNS name to an IP and capture any traffic to/from that IP.
  
  – heavyd
  Oct 7 '14 at 16:35
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  i want to save only packets that contain the http header (host: example.com) is there any filter for this ?
  
  – k961
  Oct 7 '14 at 16:43
  

  
  
  
  

add a comment | 

0

Capture filters are case sensitive:

tshark -i eth0 -f "host example.com" -w "/tmp/d.pcap"

share|improve this answer

answered Oct 7 '14 at 16:25

heavydheavyd

51k12124156

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  didnt make any diffrence ... still all packets are captured and saved to disk
  
  – k961
  Oct 7 '14 at 16:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Please remember that the packet filter http.host is not the same as the capture filter host. The capture filter will resolve the DNS name to an IP and capture any traffic to/from that IP.
  
  – heavyd
  Oct 7 '14 at 16:35
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  i want to save only packets that contain the http header (host: example.com) is there any filter for this ?
  
  – k961
  Oct 7 '14 at 16:43
  

  
  
  
  

add a comment | 

Capture filters are case sensitive:

tshark -i eth0 -f "host example.com" -w "/tmp/d.pcap"

share|improve this answer

answered Oct 7 '14 at 16:25

heavydheavyd

51k12124156

tshark -i eth0 -f "host example.com" -w "/tmp/d.pcap"

share|improve this answer

answered Oct 7 '14 at 16:25

heavydheavyd

51k12124156

answered Oct 7 '14 at 16:25

heavydheavyd

51k12124156

answered Oct 7 '14 at 16:25

heavydheavyd

51k12124156