I try to capture http traffic with Wireshark and cant implement filters.

For example, I need filtered traffic by URL. I found solution in the tutorial https://www.wireshark.org/docs/man-pages/wireshark-filter.html

So I try to follows but have the error syntax error in the filter expression or invalid capture filter:

How to correctly use filters in the Wireshark?

Step – 1: Select correct interface

You need to choose the interface you're sniffing data from. If you are using wireless router to connect internet, then select the Wi-fi: en0 option.

If you are confused with many options, please remove unwanted connected devices to reduce the options, also open any YouTube video so that you can see the traffic fluctuation on your internet link interface. Note that straight line next to interface means no active traffic on that interface.

(Refer below video for detail information: https://www.youtube.com/watch?v=1wB3ku4TSLY)

Step-2 : Design correct filter

To apply correct filter, you should know the public IP address or port (or both). In your case, open cmd prompt (windows user) and Nslookup your URL to find the ip address

(Refer video for detail information : https://www.youtube.com/watch?v=5DzG2hKAZ9U)

Hence your filter is “ip.addr == 104.26.11.240”

Step-3 : Apply filter

Instead of “http contains “Google”” please Enter “ip.addr == 104.26.11.240” without double quotes.

And hit the enter key, your red filter Colour become green & you can see at the bottom

packets : (number1) . Displayed : (number2)

number1- total number of packets captured on interface

number2 - relevant number of packets on interface of www.wireshark.org

Step-4 : save packets

Save only relevant traffic (5 packets) and exclude the unwanted traffic (397 packets).

• Click on file
• Click on exports specified packets
• Select filename & path
• Select format pcapng

That area is for a capture filter, not a display filter. If you remove your text, you should see that it indicates, "Enter a capture filter ...". The area for entering a display filter is at the top of the screen where it indicates, "Apply a display filter ... <Ctrl-/>".

As the name suggests, capture filters are applied during capturing and use a different syntax than Wireshark's display filters, which are applied after packets have already been captured when working with a capture file. For more information on capture filter syntax, refer to the pcap-filter man page.

For more information on Wireshark display filters, refer to section 6.4. Building Display Filter Expressions in the Wireshark User's Guide.

First you need to choose the interface you're sniffing data from. If you wish to sniff the the wireless data then select the Wi-fi: en0 option, then when the interface is sniffing and parsing the data you can then use the filters as you wish.