Wireshark mailing list archives
Re: Wireshark filter "contains" question
From: Guy Harris <guy () alum mit edu>
Date: Wed, 21 Jul 2010 12:34:50 -0700
On Jul 21, 2010, at 12:29 PM, George Vandelet wrote:
I have rececently found the "contains" filter in wireshark which is VERY powerful. For instance, if I only want to see http packets that contain the string "SOAP" I could used the filter "http contains SOAP". However, if I wish to use the filter to show http packts that DONT contain the string SOAP, I can not do it! I have tried using the following without success. http contains !(SOAP) http contains !SOAP http !contains SOAP Does anyone know a way to negate the "contains" filter?
As Gerald Combs said the previous time you asked this question, the way you negate a "contains" filter - and it works for *any* filter - is to say "not" in front of it: not http contains "SOAP" although that will match all packets that don't have "SOAP" in the HTTP part, including packets that don't have it in the HTTP part because they *have* no HTTP part because, for example, they're not HTTP packets. Therefore, to see all HTTP packets that don't contain "SOAP", do http and not http contains "SOAP" As Gerald also said, at least if your version of Wireshark includes support for "matches", you can do http and not http matches "(?i)soap" which does case-insensitive matching (so it also filters out "soap" and "SoAp" and "sOAp" and...). ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark filter "contains" question George Vandelet (Jul 21)
- Re: Wireshark filter "contains" question Guy Harris (Jul 21)