When debugging web applications, isolating POST requests is crucial for analyzing form submissions, API calls, and data uploads. Wireshark offers powerful filtering capabilities to specifically capture these requests.
The simplest filter to catch POST requests:
http.request.method == "POST"
This filter matches all HTTP traffic where the request method is POST, regardless of port or protocol.
For more targeted analysis, combine with other conditions:
http.request.method == "POST" && http.host contains "api.example.com"
To capture POST requests with specific content types:
http.request.method == "POST" && http.content_type contains "application/json"
For encrypted traffic, you'll need to configure SSL/TLS decryption first. After setup:
tls.handshake.type == 1 && http.request.method == "POST"
This captures initial client hello messages that precede POST requests in HTTPS flows.
When troubleshooting a login form submission:
http.request.method == "POST" && http.request.uri contains "/login"
You can further refine by looking for specific form fields:
http.request.method == "POST" && frame contains "username="
For high-traffic environments, consider pre-filtering during capture:
capture filter: port 80 or port 443 display filter: http.request.method == "POST"
This reduces the capture file size while still preserving all POST requests.
To save only POST requests for later analysis:
File → Export Specified Packets... Then apply display filter before exporting
When debugging web applications or APIs, capturing POST requests is often crucial since they typically contain important data payloads. Wireshark provides powerful filtering capabilities to isolate these requests from other network traffic.
The most straightforward filter for POST requests is:
http.request.method == "POST"
This filter will show only HTTP packets where the request method is POST. It works across all HTTP versions (1.0, 1.1, and 2).
For more targeted analysis, you can combine filters:
http.request.method == "POST" && http.host contains "api.example.com"
This shows only POST requests to a specific host. You can also filter by URI path:
http.request.method == "POST" && http.request.uri contains "/login"
To examine the actual data being posted, right-click on a POST packet and select "Follow" > "HTTP Stream". For JSON payloads specifically:
http.request.method == "POST" && http.content_type contains "application/json"
For HTTPS traffic, you'll need to configure Wireshark to decrypt TLS. Add the server's private key in:
Edit > Preferences > Protocols > TLS
Then you can filter decrypted POST requests.
Imagine debugging a login issue. You could use:
http.request.method == "POST" && http.request.uri contains "login" && frame.time >= "2023-01-01 09:00:00"
This shows all login POST requests after a specific time, helping isolate problematic attempts.
When working with large captures, apply display filters after capturing rather than as capture filters. POST-specific capture filters are less efficient than protocol-level filters.
Remember that HTTP/2 uses binary framing - the filter still works, but packet inspection is different. Also, some APIs might use non-standard methods despite sending POST data.