Ping packets should use an ICMP type of 8 (echo) or 0 (echo reply), so you could use a capture filter of:
icmp
and a display filter of:
icmp.type == 8 || icmp.type == 0
For HTTP, you can use a capture filter of:
tcp port 80
or a display filter of:
tcp.port == 80
or:
http
Note that a filter of http
is not equivalent to the other two, which will include handshake and termination packets.
If you want to measure the number of connections rather than the amount of data, you can limit the capture or display filters to one side of the communication. For example, to capture only packets sent to port 80, use:
dst tcp port 80
Couple that with an http
display filter, or use:
tcp.dstport == 80 && http
For more on capture filters, read "Filtering while capturing" from the Wireshark user guide, the capture filters page on the Wireshark wiki, or pcap-filter (7) man page. For display filters, try the display filters page on the Wireshark wiki. The "Filter Expression" dialog box can help you build display filters.
I believe you will have to put a capture filter for all HTTP traffic, and then put in a display filter for the http.response.code == 500
After you have found a response code, remove the display filter and then use the Follow TCP Stream -or- the Conversation Filter to find the related packets...
Best Answer
Mitch is right. With the negative match like you have, you need both conditions to be true to filter off your IP, thus and instead of or. You could also write it like so:
It might seem more logical to write it as
ip.addr != 192.168.5.22
, but while that's a valid expression, it will match the other end of the connection as not being the specific ip and still be true. For example, when connecting to 192.168.5.254 from 192.168.5.22,ip.addr != 192.168.5.22
doesn't match *.22 IP, it matches *.254 and thus the packet matches the filter expression. Here's a complete example to filter http as well:tcp.dstport != 80 suffers from a similar problem; having tcp.dstport != 80 turns out to mean "match ONLY tcp traffic, but only tcp that is not dstport == 80"
While not strictly your question, I prefer to do filtering in the capture filter (double click the interface name in the capture-options dialog), whose syntax is exactly like tcpdump. It makes the capture take less memory and disk by avoiding capturing packets you're telling it to ignore. The downside is those packets are not captured if you later want to inspect them and you can't change the filter selected this way during a capture session. For example, to keep from capturing http and ssh traffic to/from any host and any packets to or from 192.168.5.22,
If you only wanted to filter http traffic to and from that host, you could do this: