This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi I am trying to use WireShark to capture packets that being transmitted between server 10.0.4.18 to 10.0.4.44 and the respond coming from 10.0.4.44 to 10.0.4.18 to each request.

I used the following filter to narrow down the results

http && ( (ip.dst == 10.0.4.44 ) || (ip.dst == 10.0.4.18  ) ) && frame.time > "2015-09-02 13:00:40.0000"  && frame.time < "2015-09-02 13:20:50.0000" && http.response.code !=  200 && http.response.code !=  201 && http.response.code !=  202

All I am looking for is a packet that contains the following string in its respond body

A session cookie was expected in the request, but not found.

But I can't find a way to see the message body unless I right click on each packet and select "Follow TCP Stream."

How to filter down the results based on a part of the message body?

asked 02 Sep '15, 16:46

Mike%20A's gravatar image

Mike A
11115
accept rate: 0%

edited 02 Sep '15, 16:47


Did you try display filter tcp contains "cookie was expected" ?

permanent link

answered 02 Sep '15, 21:59

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×549
×349
×184

question asked: 02 Sep '15, 16:46

question was seen: 18,604 times

last updated: 02 Sep '15, 21:59

p​o​w​e​r​e​d by O​S​Q​A