Ask Your Question

Revision history [back]

Not directly, the display filter capabilities of Wireshark are "per-packet", i.e. is this packet to be displayed or not. There isn't a direct mechanism to say display this packet because of some condition in another packet.

MATE might be a possible solution as:

MATE's goal is to enable users to filter frames based on information extracted from related frames or information on how frames relate to each other.

You could also use tshark, some scripting and post-processing, e.g. run a first pass on the capture to only include SMTP frames with an EHLO but not the extra text, output the tcp stream numbers for those frames and use that to build a filter for a second pass on the capture to output those streams. Some ideas for this can be found in the SharkFest'18 presentation by @SYN-bit here.