Wireshark mailing list archives
Re: display filter for HTTP-ExpertInfo0Message?
From: Greg Hauptmann <greg.hauptmann.ruby () gmail com>
Date: Wed, 18 Aug 2010 16:16:44 +1000
excellent - thanks Martin On 18 August 2010 12:05, Martin Visser <martinvisser99 () gmail com> wrote:
As with any fields that appear in the Wireshark packet display, the easiest way to create a matching (or similar) filter is to select the field, right-click and select Apply As Filter:Selected. This will then create a filter exactly matching that field. In a trace file I had that also had a Proxy Authentication Required message, I got the following filter:- expert.message == "HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )\\r\\n" However as you can see that is very specific to the text message for that particular response. The filter meant that it didn't show up another similar response, which if I filter on it, gives:- expert.message == "HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )\\r\\n" So a better filter that matches both cases would be:- 'expert.message contains "HTTP/1.1 407 Proxy Authentication Required"'or maybe even 'expert.message contains "HTTP/1.1 407"'in case the proxy uses different a different text lnaguage Of course rather relying on the "expert" you might even better using just the http decode :- http.response.code == 407 Regards, Martin Regards, Martin MartinVisser99 () gmail com On Wed, Aug 18, 2010 at 11:02 AM, Greg Hauptmann <greg.hauptmann.ruby () gmail com> wrote:Hi, Anyone know what the display filter syntax would be to filter on the the contents of the HTTP/ExpertInfo/Message would be? e.g. filter that is equivalent to "HTTP/ExpertInfo/Message contains "Proxy Authentication Required"" thanks ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
-- Greg http://blog.gregnet.org/ ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- display filter for HTTP-ExpertInfo0Message? Greg Hauptmann (Aug 17)
- Re: display filter for HTTP-ExpertInfo0Message? Martin Visser (Aug 17)
- Re: display filter for HTTP-ExpertInfo0Message? Greg Hauptmann (Aug 17)
- Re: display filter for HTTP-ExpertInfo0Message? Martin Visser (Aug 17)