WEBVTT 00:00.090 --> 00:09.460 In this lecture, we are going to learn how to capture application layer traffic like HTTP, https, 00:09.510 --> 00:12.090 FTP or DNS adc. 00:12.090 --> 00:12.570 Right? 00:12.600 --> 00:18.450 Let's say you only want to capture the edge http traffic. 00:18.630 --> 00:23.790 So if you type http as you can see is it is not a valid filter. 00:23.790 --> 00:29.410 It is a valid display filter, but an invalid capture filter. 00:29.430 --> 00:38.130 So guys, when you want to use application layer protocols as the capture filters, then you have to 00:38.160 --> 00:41.070 specify port at the beginning. 00:41.070 --> 00:44.210 So right boot space as http. 00:44.220 --> 00:48.280 Now as you can see, guys, this is a valid filter. 00:48.300 --> 00:56.100 Right now, this filter is only going to save or capture the HTTP traffic. 00:56.130 --> 00:58.980 So let me click on START. 00:59.010 --> 01:00.570 Let me refresh, read it. 01:00.600 --> 01:08.690 As you can see, guys, since Reddit is an HTTPS website, then it is not saving the encrypted or actually 01:08.730 --> 01:15.390 HTTP as traffic because we have told Wireshark only to capture the HTTP traffic. 01:15.570 --> 01:19.320 Now let me visit an HDP website. 01:19.350 --> 01:30.590 As you can see, guys, now it is capturing the HTTP traffic right now back to the capture options window 01:30.600 --> 01:40.560 in the same way you can capture, let's say SSH or FTP and this filter is only going to capture the 01:40.710 --> 01:42.120 FTP traffic. 01:42.390 --> 01:46.000 Now let's combine multiple filters. 01:46.020 --> 01:59.880 Now let's say I want to capture FTP and SSH traffic so I can type port FTP, SSL or POP3 or SMTP. 01:59.910 --> 02:07.530 Now this filter is going to capture SMTP three SSH and FTP traffic. 02:07.530 --> 02:07.920 Right. 02:08.130 --> 02:17.550 Now let's capture a secure or HTTPS traffic so we'll type PWD and simply edge to http sw. 02:17.700 --> 02:24.450 Now this filter is only going to save the encrypted or HTTPS traffic. 02:24.610 --> 02:34.260 Now instead of writing the service name like HTTPS or FTP, we can write the port number where the service 02:34.260 --> 02:34.650 runs. 02:34.740 --> 02:39.270 For example, FTP runs on port number 21. 02:39.270 --> 02:39.630 Right? 02:39.630 --> 02:46.200 So if I type port 21, then it is going to produce the same result as port FTP. 02:46.320 --> 02:53.600 And port for search is 22 and FTP runs on port number eight zero. 02:53.610 --> 02:59.010 So this filter is going to capture all the HTTP traffic. 02:59.040 --> 03:04.320 Now if I type port DNS, as you can see, this is not a valid filter, right? 03:04.320 --> 03:09.150 Even though the ANS is also an application layer protocol. 03:09.180 --> 03:19.080 Wireshark doesn't allow some application layer protocols to be used as the capture filters like DNS 03:19.080 --> 03:21.480 or D edge CP. 03:21.510 --> 03:26.550 So in such cases, all you have to do is write the port number. 03:26.550 --> 03:30.630 So port number for a DNS is 53. 03:30.810 --> 03:37.080 Now this filter is going to capture all the DNS traffic, right. 03:37.080 --> 03:43.470 And in the same way, port number for TCP is 67. 03:43.650 --> 03:51.930 So whenever you come up with such situations where a protocol name doesn't work, just write the port 03:51.930 --> 03:55.440 number, not the service that the port runs. 03:55.440 --> 03:56.790 As simple as that.