Ask Your Question
0

What filter can I use to display a frame with a particular string in a particular field?

asked 2023-02-25 16:29:40 +0000

pippuzzo gravatar image

updated 2023-02-26 06:07:10 +0000

Guy Harris gravatar image

I watched a video on the internet, and captured the network trace. Inspecting the decrypted packets exported to a text file, I discovered the frame 909 as having the HLS chunk 0018.ts. Wireshark visualizes that frame in this way:
No. .Source... Destination.................................Protocol Length
909 10.0.2.15 d105emv5h26k8d.cloudfront.net HTTP2 433

Info
HEADERS[15]: GET /paessler/segment/f3922ee967ed449e8d56f9e7c98578ab/hls/1645113192470/f3922ee967ed449e8d56f9e7c98578ab-hls_00018.ts, WINDOW_UPDATE[15]

Not knowing the frame number, what can be a suitable filter to display that unique frame? I tried (http2 contains "18.ts"), and also other parts of the file name, for example (http2 contains "/segment/f392"), with no result.
Can you help please?
Thanks and Regards

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-02-25 16:42:32 +0000

Chuckc gravatar image

For the sample file (http2-h2c.pcap) on the Wireshark wiki HTTP2 page:

http2.headers.path contains "human"

http2.header.value contains "human"
edit flag offensive delete link more

Comments

Good suggestion. I tried it, but it is not accepted, it remains in red. Luckily in the meanwhile a popup help appeared, suggesting "http2.request.full_uri". This in turn works, with the modifier contains etc Great!

pippuzzo gravatar imagepippuzzo ( 2023-02-25 17:15:51 +0000 )edit

So, in the end, a good filter is

http2.request.full_uri contains "whatever"

pippuzzo gravatar imagepippuzzo ( 2023-02-25 17:18:46 +0000 )edit

What version of Wireshark are you running?
Those http2 fields have been around at least since 2.6.0.

Chuckc gravatar imageChuckc ( 2023-02-25 21:46:30 +0000 )edit

Wireshark 4.0.0 64 bit on Windows 10

pippuzzo gravatar imagepippuzzo ( 2023-02-26 17:37:08 +0000 )edit

I tested also the previous two suggestions:
-http2.headers.path contains "xyz"
-http2.header.value contains "xyz"
and indeed both are good and work. The first one can accept only the trailing part, beginning with "/paessler". The second one, even better, can accept parts of the destination server name, OR the method ("GET" in this case), OR the trailing part.
So, our arsenal of filters is enriched with three "guns".
Thanks

pippuzzo gravatar imagepippuzzo ( 2023-02-26 19:14:11 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-02-25 16:29:40 +0000

Seen: 666 times

Last updated: Feb 26 '23