Hi, I have about a months worth of Wireshark captures that I'd like to now view only http content that contains the word "EXITAU". That data appears in the "Line-based text data". I don't know how to create a display filter on that. Can it even be done? Thanks, Dana asked 11 Oct '12, 08:32  Dana |
One Answer:
You can try this filter: answered 11 Oct '12, 09:14  Jasper ♦♦ |
Thanks Jasper. I'm new to Wireshark and I searched all over the internet, but never found "data-text-lines". I'll search on that now to get more documentation on it and other such filterable names.
Dana
There's a simple trick to find that kind of thing: select the part/field that contains what you want to filter on, and you'll see the filter name for it on the left of the status bar. And you can also right click on the part/field and select "prepare as filter -> selected" which will put the filter right into the filter box for you to change and execute.
Also, you can click on "Expression..." right next to the filter input field, which will open the filter "phone book" of Wireshark, containing all possible filters.
Excellent. Thanks again, Jasper. I'm a software developer who was given the network to look after. I have no training and likely will never be able to get training. It's all interesting, but confusing at times.
Wireshark has really opened up at least the guts of the network to me.
Thanks again.
Dana
the option of "Apply as filter".. thats the best thing to know. Thanks for the question & answers...