This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can i set a display filter on the string in the “info” column?

0

Sometimes, i'd like to set a filter on 'all packets that have "TCP Previous segment not captured" in their info string', or something else that shows up in the info string column. Is this possible?

Right now, i use the "workaround" of searching the packet details of one packet for what causes the string to be displayed, use "Copy as / Filter" in the right click menu, then use the copied string to build the display filter. However, this is a bit clumsy, and i'd like the display filter input box to show the string i'm searching for instead of the property, especially if there are several ands and ors joined together.

So, is it possible to filter on the display string?

asked 24 Mar '15, 02:51

Guntram%20Blohm's gravatar image

Guntram Blohm
11113
accept rate: 0%


3 Answers:

0

See also https://ask.wireshark.org/questions/40447/contain-display-filter.

Basically, there is no filter field for the info column in Wireshark (though there is in tshark). So your workaround (search for the string, find a corresponding filter expression and then use that as a filter) is about the best you can get.

You can of course file an enhancement request to https://bugs.wireshark.org and maybe someone will find the interest to add this functionality.

answered 24 Mar '15, 13:20

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

"(though there is in tshark)" - I need the tshark one. Can you guide me a bit about that? For example using tshark, if I want to apply a display filter which returns only those packets whose info section contains the string "abc", how can I do that?

(15 Sep '16, 09:48) Jesss

See the answer by @CraigGarrett to this question.

(15 Sep '16, 10:40) grahamb ♦

0

Try the tcp.analysis.x display filters e.g. tcp.analysis.lost_segment

Everything that is in the info column is also displayed under the protocol details.

answered 24 Mar '15, 03:28

Roland's gravatar image

Roland
7642415
accept rate: 13%

edited 24 Mar '15, 03:32

0

Generally all the expert info messages have an associated filter field that should be used in preference to string matching in the info field.

For your condition, use the filter "tcp.analysis.lost_segment == 1". You can usually determine the filter name by selecting the field of interest in the protocol tree and looking at the status bar.

answered 24 Mar '15, 03:33

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%