When using Wireshark to filter HTTP in LAN, there are often some interference protocols, such as SSDP, using the filter condition "http" may appear n multi-SSDP package, as shown in:
Ssdp:simple Sever Discovery Protocol, a simple service discovery protocol that provides network customers with a mechanism to configure, manage, and maintain network device services without any need. This protocol is implemented using multicast discovery based on notification and discovery routing. The protocol client is on the reserved multicast address: 239.255.255.250:1900 (IPV4) Discovery Service, (IPV6 is: FF0X::C) at the same time each device service also listens on the service discovery request on this address.
Reference: http://www.cnblogs.com/debin/archive/2009/12/01/1614543.html
The SSDP uses the UDP protocol's 1900 port transport, so filter HTTP with TCP conditions:
TCP && HTTP
http&&! (Udp.dstport = = 1900)
If we just want to see SSDP, we can do the following:
Display Filter:
UDP && http
Udp.dstport = = 1900
Capture filtering:
UDP port 1900
Reference:
http://www.6san.com/538/
WireShark Filter SSDP