Hi, I'm wanting to filter the initial capture file using the following expression "(expert.message contains "GET /Pages/Home.aspx") && (ip.dst == x.x.x.x)". Unfortunately when I come to setup the capture file and apply the filter it won't accept the expression. It would be much appreicated if you could point me in the right direction. Thanks!! asked 30 Jul '12, 11:04  Testsubjec |
2 Answers:
Besides that your filter works with Wireshark 1.8.1, I suggest to use the following display filter, which should work with pretty much every Wireshark version (at least with the last few releases).
Regards answered 30 Jul '12, 12:49  Kurt Knochner ♦ |
Your expression worked fine for me in Wireshark 1.6.9 (substituting a real address in place of "x.x.x.x" of course). Are you trying to apply a capture filter or a display filter? Your expression is a display filter. It will not work as a capture filter; display filters and capture filters use different syntax. There is no capture filter equivalent to "expert.message contains". You will have to capture the data first, and then apply that as a display filter. answered 30 Jul '12, 13:02  Jim Aragon |
sounds like a version problem. It works with Wireshark 1.8.1.