6
Wireshark supports filters like this:
ip.addr == 192.168.0.1
What is the syntax to check the packet content?
(C# equivalent of what I want)
content.Contains("whateverYouWant")
Jader Dias
Posted 2009-11-23T14:08:27.233
Reputation: 13 660
How to write a filter in Wireshark/Ethereal that displays only packets with a specific string?
Answers
1
There seems not to be an generic way of doing this. The filter you need to apply is dependent on the protocol you are listening for. Try looking at the filter list at http://www.wireshark.org/docs/dfref/.
Ahe
Posted 2009-11-23T14:08:27.233
Reputation: 969
4
Try the "contains" or "matches" operators.
tcp contains "an aloof iguana"
http matches "my pass.+ is(?i)"
Contains does a simple case-sensitive string comparison, and is guaranteed to be in every Wireshark package. Matches lets you apply Perl-compatible regular expressions. Its availability depends on your platform. You can also use contains with byte strings:
ip contains 01:ab:9c:45
Gerald Combs
Posted 2009-11-23T14:08:27.233
Reputation: 263
It did not work on Wireshark 1.2.3 neither it is in the documentation – Jader Dias – 2009-11-24T11:22:50.217
What filter string are you trying to use? (...and you're not trying to apply this as a capture filter, are you?) It looks like we need to add "matches" and "contains" to the User's Guide but you can find examples at http://wiki.wireshark.org/DisplayFilters
– Gerald Combs – 2009-11-24T16:10:36.037