This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I filter out only the data sent at the Application layer?

0

Network has Application-Presentation-Session-Transport-Net-data-Physical layers. Assume a GDB Client and Server talk and exchange 10 packets. I want to set the filter so that I see the 10 packets exchanged as seen by the App layer only in a chronological order. I dont want to see any of the other packets. Meaning let us assume following is the packets exchanged Client(First column is Client) The second column is Server

"Hello how are you" is sent -->

                         <--         "I am fine"

"What time is it?" -->

                         <--         "Around noon"

So on and so forth. The filter should just show the strings being exchanged.

One more question. Yesterday Quadratic helped me. Here is a followup question. In the below commandline feature if my IP's are 10.x.x.x and 10.y.y.y and the names are "Client" and "Server" what do I type for the -i option. -i {what do I type here?}" C:\Program Files\Wireshark\dumpcap.exe -c 50 -i {interface name or number} -w {wherever you want to save the packet capture file}

asked 16 Apr '14, 13:59

agvardha's gravatar image

agvardha
21226
accept rate: 0%

edited 16 Apr '14, 14:04


One Answer:

2

"I want to set the filter so that I see the 10 packets exchanged as seen by the App layer only in a chronological order. I dont want to see any of the other packets."

Try data.data to get only packets that contain data.

"The filter should just show the strings being exchanged"

To see the strings that are exchanged in the packet list pane you need

  • Edit -> Preferences -> Protocol -> Data: Show data as text: check this item
  • Add a New Column to show a 'custom' column "data.text" in the packet list

alt text

Hope this answers this question.

For "One more question" open "one more thread" to keep the Q&A site (vs. forum) tidy ;-)

answered 17 Apr '14, 00:46

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 17 Apr '14, 02:56

2

Grrr. It's not a forum :-)

(17 Apr '14, 02:21) grahamb ♦

well, it's a 'forum' for questions and answers ;-))

(19 Apr '14, 16:43) Kurt Knochner ♦