Wireshark-users: Re: [Wireshark-users] port monitoring
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 4 Sep 2012 16:58:01 -0700
On Sep 4, 2012, at 4:23 PM, mike dodson wrote:

> Thanks for the help but the suggestions did not work at all

Probably because some of them (the ones without "!=") were *capture* filters, which would have let you avoid capturing traffic to or from ports 80 or 443 but, at least in Wireshark, wouldn't have let you filter traffic you've *already captured*, and the other one filtered out stuff decoded as HTTP or HTTP-over-SSL/TLS but wouldn't have filtered out traffic to ports 80 or 443 that was ACK-only (no content *to* decode as HTTP or HTTP-over-SSL/TLS) or was part of a reassembled HTTP message or SSL message (they're just shown as stuff reassembled later).

> but with a bit of playing around with the filter I was able to get it to work as listed below.
>  
> tcp.port != 80 and tcp.port !=443 and udp.port != 80 and udp.port !=443

Yes, that's the right way to filter it out once you've captured the packets.  The capture filters would help if you want to avoid even *capturing* "uninteresting" packets (TCP or UDP packets to or from port 443).