How to write a filter in Wireshark/Ethereal that displays only packets with a specific string?

wireshark
10,343

Solution 1

There seems not to be an generic way of doing this. The filter you need to apply is dependent on the protocol you are listening for. Try looking at the filter list at http://www.wireshark.org/docs/dfref/.

Solution 2

Try the "contains" or "matches" operators.

tcp contains "an aloof iguana"
http matches "my pass.+ is(?i)"

Contains does a simple case-sensitive string comparison, and is guaranteed to be in every Wireshark package. Matches lets you apply Perl-compatible regular expressions. Its availability depends on your platform. You can also use contains with byte strings:

ip contains 01:ab:9c:45
Share:
10,343

Related videos on Youtube

Jader Dias
Author by

Jader Dias

Perl, Javascript, C#, Go, Matlab and Python Developer

Updated on September 17, 2022

Comments

  • Jader Dias
    Jader Dias over 1 year

    Wireshark supports filters like this:

    ip.addr == 192.168.0.1

    What is the syntax to check the packet content?

    (C# equivalent of what I want)

    content.Contains("whateverYouWant")
  • Jader Dias
    Jader Dias over 14 years
    It did not work on Wireshark 1.2.3 neither it is in the documentation
  • Gerald Combs
    Gerald Combs over 14 years
    What filter string are you trying to use? (...and you're not trying to apply this as a capture filter, are you?) It looks like we need to add "matches" and "contains" to the User's Guide but you can find examples at wiki.wireshark.org/DisplayFilters

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AMR Raw Output from Wireshark not playing in players
TCP Server sends [ACK] followed by [PSH,ACK]
How can I dump and decrypt HTTPS traffic from the command line under linux?
How to decode and play back rtp captured packets using Wireshark?
Sniffing Facebook chats with Wireshark
Can you check/monitor the client certificates sent in requests using Wireshark?
How to create a wireshark display filter with wildcard?
Getting YouTube livestream URL
How to filter out "TCP Fast Retransmission" in Wireshark
How to decrypt https