filtering by domain

networking filter wireshark pcap tshark
35,051

Assuming it's http web traffic, try http.host contains ".com"

Better yet, try http.host matches "\.com$"

Neither one will require DNS resolution since they search on the web host.

From http://wiki.wireshark.org/DisplayFilters 

The matches operator makes it possible to search for text in string fields 
and byte sequences using a regular expression, using Perl regular expression 
syntax. Note: Wireshark needs to be built with libpcre in order to be able to 
use the matches operator.
Share:
35,051

Related videos on Youtube

Eray Balkanli
Author by

Eray Balkanli

• Proven skills with 5 years of experience in Net/C# and MS SQL, and 2 years of experience in SharePoint, Microsoft Reporting Services (SSRS) and SQL Server Integration Services (SSIS) • Result oriented software developer with excellent track record of successful completion of projects, project milestones, and quality standards • Highly self-motivated, able to work with minimal supervision, and able to exercise good judgment to keep critical systems operational • Versatile team player with the ability to communicate at all levels of software development life cycle • Able to incorporate user needs into cost-effective, secure and user-friendly solutions • Very ambitious to research, learn and adapt to recent IT technologies • Demonstrated ability to public relations • Professional communication skills include fluency in English and Turkish

Updated on February 26, 2020

Comments

  • Eray Balkanli
    Eray Balkanli about 4 years

    I want to filter my pcap file by their domains. I mean, I want to see the packets comes on a website ends with ".com", ".org" or ".net".

    I tried: dns contains "com", ip.src_host == com, ip.src_host == com, http contains "com". None of them worked correctly.

    • Thaddeus Albers
      Thaddeus Albers about 10 years
      Are these saved capture files your are trying to filter or running capture files? from wireshark.org/docs/wsug_html_chunked/… The resolved names are not stored in the capture file or somewhere else. Resolved DNS names are cached by Wireshark.
    • Eray Balkanli
      Eray Balkanli about 10 years
      They are already captured files. Thank you for ur answer Thaddeus.
  • Eray Balkanli
    Eray Balkanli about 10 years
    May I ask, when I write "http" as filter, I cant see any packet. However, when I write "tcp.port == 80", i can see many packet. Do u think why it happens like that?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

TCP Server sends [ACK] followed by [PSH,ACK]
Export raw packet bytes in tshark, tcpdump, or similar?
using wireshark/tshark in command line to ignore ssh connections
tcpdump filter for tcp zero window messages
How do I use tshark to print request-response pairs from a pcap file?
tshark outputting all fields?
How to concatenate two tcpdump files (pcap files)
Convert pcap <-> pcap-ng, pcap-ng tools/libraries
How to decrypt https
Capture Filter with Wildcard in IP Address