Wireshark - How to filter on JSON content not sent over HTTP
Solution 1
Wireshark supports filter for JSON as well. Go to Analyze->Display Filter and then click on Expression button to configure different Filter String like -> JSON object, JSON Array etc. along with relation like "contains" or "is present"
This should help to set up JSON related filters.
EDIT: Attaching screenshot on how to access expression via button
EDIT2: Expression can be accessed in Wireshark Version 2.4.0 as shown below
Solution 2
Use this:
http.content_type == "application/json"
Christopher Pisz
Updated on August 22, 2022Comments
-
Christopher Pisz over 1 year
I have a windows service that uses winsock communicating to another windows service that uses winsock. We are talking over TCP/IP using JSON.
I am trying to prove that my service is behaving properly and that the service it communicates to is not sending the expected data.
I set up wireshark to capture on the Ethernet card I am using on my local machine and filter on ip.addr == and I can see the traffic.
I am expecting messages that contain "Message One" and I can see them, thousands of them. While I am receiving all those, I expect a few messages that contain "Message Two"
How do I set up the filter to prove that I am not receiving the "Message Two" messages?
I Googled a little bit and someone said use data-text-lines contains "Message Two", but that doesn't work. I can verify it doesn't work by looking at the messages that contain "Message One" and then filtering data-text-line contains "Message One" and they all disappear when they shouldn't. I have a feeling that is for http only.
What do I use for a filter?
EDIT - To reply to v.j's response and have the ability to upload an img:
I do not see the "Expression" button. Here are some screenshots.