This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter: opposite of “contains”?

0

OK, I know when I want to filter out HTTPs which have wanted text in them i type:

http.referer contains "text"

but what is the command to display all HTTPs except the ones which have certain text in them (which is now unwanted)?

asked 15 Dec '13, 13:48

myrddin's gravatar image

myrddin
117810
accept rate: 0%


2 Answers:

2

Try

http and not (http.referer contains "text")

answered 15 Dec '13, 13:56

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 15 Dec '13, 15:13

Hi, it works but it shows all protocols except HTTPs which contain that text. I want to see all HTTP protocols which don't have that text in the referer field. I know this is is probably stupid question, but I skimmed quickly through help and didn't find it and I don;t have time to read it in detail...

(15 Dec '13, 14:46) myrddin

OK, I've updated my answer to give a filter that only matches HTTP packets where the Referer: field doesn't contain the specified text.

(15 Dec '13, 15:14) Guy Harris ♦♦

Works great, thanks!

(15 Dec '13, 15:29) myrddin

I think http.referer and not (http.referer contains "text") would work even better, as not every http packet will contain an http.referer field.

(15 Dec '13, 17:41) cmaynard ♦♦

Depends on whether he wants "all HTTP messages except for those that have a Referer: field containing the text in question" or "all HTTP messages including a Referer: field that doesn't contain the text in question". The first would be

http and not (http.referer contains "text")

and the second would be

http.referer and not (http.referer contains "text")
(15 Dec '13, 17:51) Guy Harris ♦♦

2

Another idea: use a filter with a regular expression, that contains the field http.referer only once. The filter is shorter, but maybe slower than others and harder to understand, so take this just as an example of what can be done :-)

http.referer matches "^((?!text).)*$"

Will match all frames with a field http.referer that does not contain the string text

Anyway, the regular expression answers your question in the title:

filter: opposite of "contains"?

The opposite (as I understand it) is the regular expression shown above: xxx matches "^((?!text).)*$", where xxx is the field in question and text is the search string.

Regards
Kurt

answered 16 Dec '13, 06:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Dec '13, 11:27