Wireshark unable to capture squid traffic at port other than 3128

Question

I use the following display filters to analysis traffic between client and squid3 server with Wireshark but nothing shows up.

http && tcp
http && tcp && tcp.port == 3888

If I changed the squid port back to 3128 then I can see the HTTP packets.

Is this a Wireshark bug or it is by design? I am using Wireshark 1.6.7.

Thanks.

I meant to try two rules but forgot to submit with proper format so that they appear in two lines. Thanks. — user891260, Jan 02 '16 at 17:26

score 2 · Answer 1 · answered Jan 02 '16 at 10:20

First, this display filter rule is invalid and redundant:

http && tcp http && tcp && tcp.port == 3888

It is sufficient to use:

tcp.port == 3888 && http

Next, 1.6.7 is really an old, unsupported version. Try to upgrade to something newer such as 2.0. Since 1.8 there is a heuristics feature that tries to automatically detect HTTP/1.1 traffic on TCP ports.

score 2 · Answer 2 · answered Jan 03 '16 at 08:05

Wireshark can capture them.

It just won't recognize them as HTTP unless it's told to do so or already knows to do so.

Prior to 1.8, in order to tell it to do so, you have to edit the preferences for HTTP and add 3888 to the list of ports for HTTP.

In 1.8 and later, the heuristic dissector may recognize the packets automatically as HTTP; if not, you can still edit the preferences and add 3888 to the list of ports.

Wireshark unable to capture squid traffic at port other than 3128

2 Answers2