Wireshark Info Filter Help
https://stackoverflow.com/questions/855230
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have looked all over the net for a tutorial on how to filter the info column but cant find any that makes sense.
I want to filter all logs where the info column contains the text "insitu-conf" but cant find out how. Help please.
Solution
You actually can't do this directly. The info column is decoded based on the properties of the packet, though, and you can filter on these which will have exactly the same effect. The only difference is you have to figure out what info wireshark is using to create that info line, which may be non-intuitive.
In this example, 'insitu-conf' is a port alias for port 1490 (grep insitu-conf /etc/services) and so wireshark is telling you that this is a packet from remote port 51811 to local port 1490. Thus, the filter to caputre those packets would be 'dst port=1490'.
In other instances, there may be a more descriptive info line which is derived from several properties of the packet, including the port and some of the data -- for instance, http requests on port 80 will have an info line that actually includes the first line of the http request.
OTHER TIPS
Are you looking for capture filters or display filters? Is "insitu-conf" a hostname?
Edit:
Looks like insitu-conf is port 1490, so a simple filter like:
tcp.port == 1490 || udp.port == 1490
Should do the trick.
You can use Microsoft Network Monitor to do the trick.
Open your file in Microsoft Network Monitor.
Right-click on an item in the Description column en choose "Add 'Description' to Display Filter" from the context menu.
The Display Filter is added to the Filter Window.
Hit the Apply button on the filter toolbar.
Examples:
Description == "HTTP:Request, GET / "
Description.contains("Request")
Description.contains("insitu-conf")
http.request.uri matches "insitu-conf" should also work.
