This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter on HTTP Content (Line-based text data)

0

Hi,

I have about a months worth of Wireshark captures that I'd like to now view only http content that contains the word "EXITAU". That data appears in the "Line-based text data".

I don't know how to create a display filter on that. Can it even be done?

Thanks,

Dana

asked 11 Oct '12, 08:32

Dana's gravatar image

Dana
11224
accept rate: 0%


One Answer:

1

You can try this filter: data-text-lines contains "EXITAU"

answered 11 Oct '12, 09:14

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper. I'm new to Wireshark and I searched all over the internet, but never found "data-text-lines". I'll search on that now to get more documentation on it and other such filterable names.

Dana

(11 Oct '12, 09:20) Dana
1

There's a simple trick to find that kind of thing: select the part/field that contains what you want to filter on, and you'll see the filter name for it on the left of the status bar. And you can also right click on the part/field and select "prepare as filter -> selected" which will put the filter right into the filter box for you to change and execute.

Also, you can click on "Expression..." right next to the filter input field, which will open the filter "phone book" of Wireshark, containing all possible filters.

(11 Oct '12, 09:25) Jasper ♦♦

Excellent. Thanks again, Jasper. I'm a software developer who was given the network to look after. I have no training and likely will never be able to get training. It's all interesting, but confusing at times.

Wireshark has really opened up at least the guts of the network to me.

Thanks again.

Dana

(11 Oct '12, 09:57) Dana

the option of "Apply as filter".. thats the best thing to know. Thanks for the question & answers...

(06 May '16, 15:31) khader