This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter data based on the message body?

0

Hi I am trying to use WireShark to capture packets that being transmitted between server 10.0.4.18 to 10.0.4.44 and the respond coming from 10.0.4.44 to 10.0.4.18 to each request.

I used the following filter to narrow down the results

http && ( (ip.dst == 10.0.4.44 ) || (ip.dst == 10.0.4.18  ) ) && frame.time > "2015-09-02 13:00:40.0000"  && frame.time < "2015-09-02 13:20:50.0000" && http.response.code !=  200 && http.response.code !=  201 && http.response.code !=  202

All I am looking for is a packet that contains the following string in its respond body

A session cookie was expected in the request, but not found.

But I can't find a way to see the message body unless I right click on each packet and select "Follow TCP Stream."

How to filter down the results based on a part of the message body?

asked 02 Sep '15, 16:46

Mike%20A's gravatar image

Mike A
11115
accept rate: 0%

edited 02 Sep '15, 16:47

One Answer:

1

Did you try display filter tcp contains "cookie was expected" ?

answered 02 Sep '15, 21:59

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%