In this recipe we will have a look at the instructions and examples to configure display filters for common protocols such as DNS, HTTP, and FTP.
The purpose of this recipe is to learn how to configure filters that will help us in network troubleshooting. We will learn about network troubleshooting in the upcoming chapters.
To perform this recipe, you will need a running Wireshark software capture; there are no other prerequisites.
In this recipe we will see the display filters for some common protocols.
The following are some common HTTP display filters:
<"host name">
, use http.request.method == <"Request methods">
GET
method, use http.request.method == "GET"
http.request.method == <"Full request URI">
; for example, http.request.uri == "/v2/rating/mail.google.com"
http.request.uri contains "URI String"
; for example, http.request.uri contains "mail.google.com"
http.cookie
http.set_cookie
(http.set_cookie) && (http contains "google")
http matches ".zip" && http.request.method == "GET"
The Wireshark regular expression syntax for display filters uses the same syntax as regular expressions in Perl.
Some common modifiers are as follows:
^
: This is used to match the beginning of the line$
: This is used to match the end of the line|
: This is used for alternation purposes()
: This is used for grouping purposes*
: This is used to match either 0 or more times+
: This is used to match 1 or more times?
: This is used to match 1 or 0 times{n}
: This is used to match exactly n times{n,}
: This is used to match at least n times{n,m}
: This is used to match at least n but not more than m timesYou can use these modifiers to configure more complex filters. Have a look at the following examples:
GET
commands that contain ZIP files, use http.request.method == "GET" && http matches ".zip" && !(http.accept_encoding == "gzip, deflate")
GET
commands that contain ZIP files, use http.request.method == "GET" && http matches ".zip" && !(http.accept_encoding == "gzip, deflate")
.com
, use http.host matches ".com$"
18.226.180.161