Wireshark supports filters like this:
ip.addr == 192.168.0.1
What is the syntax to check the packet content?
(C# equivalent of what I want)
content.Contains("whateverYouWant")
asked Nov 23, 2009 at 14:08
Add a comment
|
2 Answers
There seems not to be an generic way of doing this. The filter you need to apply is dependent on the protocol you are listening for. Try looking at the filter list at http://www.wireshark.org/docs/dfref/.
Try the "contains" or "matches" operators.
tcp contains "an aloof iguana"
http matches "my pass.+ is(?i)"
Contains does a simple case-sensitive string comparison, and is guaranteed to be in every Wireshark package. Matches lets you apply Perl-compatible regular expressions. Its availability depends on your platform. You can also use contains with byte strings:
ip contains 01:ab:9c:45
-
It did not work on Wireshark 1.2.3 neither it is in the documentation Commented Nov 24, 2009 at 11:22
-
What filter string are you trying to use? (...and you're not trying to apply this as a capture filter, are you?) It looks like we need to add "matches" and "contains" to the User's Guide but you can find examples at wiki.wireshark.org/DisplayFilters Commented Nov 24, 2009 at 16:10