This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to create a filter for a particular field?

1
1

Hi, I want to create a display filter for a particular field. Please help me to finish my task.

HTTP Header:

Hypertext Transfer Protocol

POST / HTTP/1.1\r\n Content-Type: text/xml; charset=utf-8\r\n SOAPAction: "create"\r\n

Here, I want to create filter for the “SOAPAction” field.

asked 11 Sep ‘11, 08:05

JK7's gravatar image

JK7
31111214
accept rate: 0%

edited 11 Sep ‘11, 10:43

helloworld's gravatar image

helloworld
3.1k42041


One Answer:

7

The HTTP field list doesn't include SOAPAction, so SOAPAction is added as a simple text item. You can filter for it in a couple ways:

Option 1: Custom HTTP header field

Add a custom header field to your HTTP preferences (requires Wireshark restart), which allows you to filter for the field.

  1. Open menu: Edit > Preferences > Protocols > HTTP > Custom HTTP headers fields
  2. Click New
  3. For Header name, enter SOAPAction
  4. For Field desc, enter Intent of SOAP HTTP request (or whatever)
  5. Click OK
  6. Restart Wireshark.
  7. In the Display Filter textbox, enter http.header.SOAPAction, and click Apply. The textbox background should turn green, indicating the display filter syntax is correct (and that our preference changes for the custom field SOAPAction took effect).

Option 2: String matching display filter

This display filter scans entire HTTP packets for the string "SOAPAction:". This might be inefficient compared to a custom HTTP header field, but it works well.

http contains "SOAPAction:"

answered 11 Sep '11, 11:19

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

edited 11 Sep '11, 17:15

Hi "Helloworld" Thanks.....

(12 Sep '11, 09:10) JK7