This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter by Info column?

1

Is it possible to filter a Wireshark session by the Info column? If so, how?

For example: I would like to filter packets with an expression that looks something like:

Filter: info.contains== GET / foo.cgi?a=bar

Update

The answer by Syn_bit is good and fine. However, using that syntax I'm unable to filter the info column if the data in the info column is within [brackets].

For example: Here's a copy of a packet that contains "ZeroWindowProbeAck" in the info column.

10.10.6.106 10.10.6.222 TCP 60 [TCP ZeroWindowProbeAck] [TCP ZeroWindow] http > ldxp [ACK]

I tried filtering by using this syntax:

Filter: tcp contains "ZeroWindowProbeAck"

Unfortunately, however, this produced zero results.

My guess is that the text that is within brackets are not a part of the actual packet which would explain why I didn't get any search results. So, I took a gander at the actual packet to determine if there is anything in there that is synonymous with searching for ZeroWindowProbeAck, but I couldn't find anything.

Is it possible to search for text that is within brackets? If so, how?

FYI - Here is the full Wireshark packet of the summarized packet that I noted above. Do you see anything in there that would allow me to search for the ZeroWindowProbeAck info?

No.     Time           Source                Destination           Protocol Length Info
  57569 4492.821600000 10.10.6.106           10.10.6.222           TCP      60     [TCP ZeroWindowProbeAck] [TCP ZeroWindow] http > ldxp [ACK] Seq=1 Ack=1 Win=0 Len=0 MSS=1460

Frame 57569: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Interface id: 0
WTAP_ENCAP: 1
Arrival Time: Jan 17, 2013 07:27:49.434311000 Pacific Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1358436469.434311000 seconds
[Time delta from previous captured frame: 0.001530000 seconds]
[Time delta from previous displayed frame: 0.001530000 seconds]
[Time since reference or first frame: 4492.821600000 seconds]
Frame Number: 57569
Frame Length: 60 bytes (480 bits)
Capture Length: 60 bytes (480 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update]
Ethernet II, Src: JkMicros_e4:6e:2e (00:90:c2:e4:6e:2e), Dst: Ibm_7a:a3:f7 (00:0d:60:7a:a3:f7)
Destination: Ibm_7a:a3:f7 (00:0d:60:7a:a3:f7)
Address: Ibm_7a:a3:f7 (00:0d:60:7a:a3:f7)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
Source: JkMicros_e4:6e:2e (00:90:c2:e4:6e:2e)
Address: JkMicros_e4:6e:2e (00:90:c2:e4:6e:2e)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
Type: IP (0x0800)
Padding: c308
Internet Protocol Version 4, Src: 10.10.6.106 (10.10.6.106), Dst: 10.10.6.222 (10.10.6.222)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
…. ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 44
Identification: 0x371c (14108)
Flags: 0x00
0… …. = Reserved bit: Not set
.0.. …. = Don't fragment: Not set
..0. …. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x2255 [correct]
[Good: True]
[Bad: False]
Source: 10.10.6.106 (10.10.6.106)
Destination: 10.10.6.222 (10.10.6.222)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: http (80), Dst Port: ldxp (4042), Seq: 1, Ack: 1, Len: 0
Source port: http (80)
Destination port: ldxp (4042)
[Stream index: 4549]
Sequence number: 1    (relative sequence number)
Acknowledgment number: 1    (relative ack number)
Header length: 24 bytes
Flags: 0x010 (ACK)
000. …. …. = Reserved: Not set
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion Window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set
…. …1 …. = Acknowledgment: Set
…. …. 0… = Push: Not set
…. …. .0.. = Reset: Not set
…. …. ..0. = Syn: Not set
…. …. …0 = Fin: Not set
Window size value: 0
[Calculated window size: 0]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0xcb16 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (4 bytes), Maximum segment size
Maximum segment size: 1460 bytes
Kind: MSS size (2)
Length: 4
MSS Value: 1460
[SEQ/ACK analysis]
[TCP Analysis Flags]
[This is a ZeroWindow segment]
[Expert Info (Warn/Sequence): Zero window]
[Message: Zero window]
[Severity level: Warn]
[Group: Sequence]
[This is an ACK to a TCP zero-window-probe]
[Expert Info (Note/Sequence): Zero window probe ACK]
[Message: Zero window probe ACK]
[Severity level: Note]
[Group: Sequence]

asked 16 Jan ‘13, 06:48

KTM's gravatar image

KTM
7691314
accept rate: 100%

edited 17 Jan ‘13, 09:47

3 Answers:

0

The info column is not a general field, so it can't be filtered on. However, the information in the info column is a summary of the information in the fields of the highest layer protocol. So you can use the specific protocol fields to filter on.

For your example you could use:

  • http contains "GET / foo.cgi?a=bar"
  • frame contains "GET / foo.cgi?a=bar" (if you don't care if the string is inside HTTP packets)

answered 16 Jan '13, 06:59

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks, SYN-bit.

For future user's that find this post useful: Take note that the expression's argument is case sensitive.

(16 Jan '13, 07:56) KTM

1

Items shown in brackets in the Info column are not necessarily actually present in the frame, which is why you can't find them using the "contains" operator. An item enclosed in brackets is information provided by Wireshark about the frame. There is no "TCP ZeroWindowProbeACK" string or value in the frame. Because Wireshark has seen previous frames, it is able to tell you that this frame is an acknowledgment to a zero window probe, but that information is not contained within the frame itself.

You can still filter on that attribute, but you need a different syntax. In this case, "tcp.analysis.zero_window_probe_ack" will show you all the frames that are acknowledgments to zero windows probes.

PS: In the future, when you want to follow up on someone's answer, it would be better to add a comment rather than to edit the original question. It's difficult to follow the conversation if the original question keeps changing.

answered 17 Jan '13, 10:40

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 13 Mar '13, 11:27

Thanks for that answer, Jim. It works great. +1

Regarding your P.S. - I will remember that. I should have created a new question entirely.

(17 Jan '13, 11:06) KTM

0

I had to in the past filter by "Application Data" Info column

I did following:

  • In the search field/panel, selected "Packet Details" then "String"
  • then typed "Application Data"
  • then the search result highlighted the exact field in the Packet Details where it appears
  • I Right clicked on the field in the Packet Details > Select Add as a Column
  • then go to Edit > Preferences > Columns
  • And checked what exactly is the filter for it
  • In my case it turned out to be ssl.record.content_type
  • Then I noticed that the index for this field in Packet Details was set to "23"
  • so i filtered display by ssl.record.content_type == 23

Hope that helps.

This answer is marked "community wiki".

answered 12 Apr '17, 20:48

evgenia's gravatar image

evgenia
6224
accept rate: 0%