Why Wireshark display filter does not show http packets?

Question

When I use display filter for HTTP it shows only HTTP packets when HTTP message is on standard port i.e. on port 80. But, when message is not using standard port, then display filter not works for HTTP and I need to filter for TCP and then need to find out HTTP packets manually.

I want to know why this happen? Is it standard behavior or I am doing (or expecting) it wrongly.

Thanks.

Answer 1

The well-known port for HTTP is port 80. If you're looking at traffic on a different port Wireshark would normally expect traffic to be in the form for whatever service normally uses that port (if any). It has no way to know that traffic on, say, port 1080 is actually HTTP. This is not a bug, but a limitation of the way you are trying to use TCP

Answer 2

I had to enable the HTTP protocol by doing the following:

"Analyze -> Enabled Protocols"

This solution was for version 1.12.2 (and disabled by default in version 2.0.2) but should work for any variant of version 1 and 2.

Answer 3

If you have HTTP not on its usual port, you can use the "Analyze -> Decode As" tool in Wireshark to tell it to treat all traffic on this port as a certain protocol.

Answer 4

I am using version 1.10.2 and it will classify any port as HTTP as long as it sees HTTP data in it.