How to filter data based on the message body?

Question

Hi I am trying to use WireShark to capture packets that being transmitted between server 10.0.4.18 to 10.0.4.44 and the respond coming from 10.0.4.44 to 10.0.4.18 to each request.

I used the following filter to narrow down the results

http && ( (ip.dst == 10.0.4.44 ) || (ip.dst == 10.0.4.18  ) ) && frame.time > "2015-09-02 13:00:40.0000"  && frame.time < "2015-09-02 13:20:50.0000" && http.response.code !=  200 && http.response.code !=  201 && http.response.code !=  202

All I am looking for is a packet that contains the following string in its respond body

A session cookie was expected in the request, but not found.

But I can't find a way to see the message body unless I right click on each packet and select "Follow TCP Stream."

How to filter down the results based on a part of the message body?

Accepted Answer

1	Did you try display filter `tcp contains "cookie was expected"` ? permanent link answered 02 Sep '15, 21:59 mrEEde 3.9k●15●22●70 accept rate: 20%

How to filter data based on the message body?

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions