Sometimes, i'd like to set a filter on 'all packets that have "TCP Previous segment not captured" in their info string', or something else that shows up in the info string column. Is this possible? Right now, i use the "workaround" of searching the packet details of one packet for what causes the string to be displayed, use "Copy as / Filter" in the right click menu, then use the copied string to build the display filter. However, this is a bit clumsy, and i'd like the display filter input box to show the string i'm searching for instead of the property, especially if there are several So, is it possible to filter on the display string? asked 24 Mar '15, 02:51 Guntram Blohm |
3 Answers:
See also https://ask.wireshark.org/questions/40447/contain-display-filter. Basically, there is no filter field for the info column in Wireshark (though there is in tshark). So your workaround (search for the string, find a corresponding filter expression and then use that as a filter) is about the best you can get. You can of course file an enhancement request to https://bugs.wireshark.org and maybe someone will find the interest to add this functionality. answered 24 Mar '15, 13:20 SYN-bit ♦♦ |
Try the tcp.analysis.x display filters e.g. tcp.analysis.lost_segment Everything that is in the info column is also displayed under the protocol details. answered 24 Mar '15, 03:28 Roland edited 24 Mar '15, 03:32 |
Generally all the expert info messages have an associated filter field that should be used in preference to string matching in the info field. For your condition, use the filter "tcp.analysis.lost_segment == 1". You can usually determine the filter name by selecting the field of interest in the protocol tree and looking at the status bar. answered 24 Mar '15, 03:33 grahamb ♦ |
"(though there is in tshark)" - I need the tshark one. Can you guide me a bit about that? For example using tshark, if I want to apply a display filter which returns only those packets whose info section contains the string "abc", how can I do that?
See the answer by @CraigGarrett to this question.