Re: Wireshark filter "contains" question

[Guy Harris <guy () alum mit edu>]

On Jul 21, 2010, at 12:29 PM, George Vandelet wrote:

> I have rececently found the "contains" filter in wireshark which is VERY powerful.  For instance, if I only want to 
> see http packets that contain the string "SOAP" I could used the filter "http contains SOAP".  However, if I wish to 
> use the filter to show http packts that DONT contain the string SOAP, I can not do it!  I have tried using the 
> following without success.
>  http contains !(SOAP)
>  http contains !SOAP
>  http !contains SOAP 
>  
>  Does anyone know a way to  negate the "contains" filter?

As Gerald Combs said the previous time you asked this question, the way you negate a "contains" filter - and it works 
for *any* filter - is to say "not" in front of it:

        not http contains "SOAP"

although that will match all packets that don't have "SOAP" in the HTTP part, including packets that don't have it in 
the HTTP part because they *have* no HTTP part because, for example, they're not HTTP packets.

Therefore, to see all HTTP packets that don't contain "SOAP", do

        http and not http contains "SOAP"

As Gerald also said, at least if your version of Wireshark includes support for "matches", you can do

        http and not http matches "(?i)soap"

which does case-insensitive matching (so it also filters out "soap" and "SoAp" and "sOAp" and...).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe