1. Enter the string you want to match
3. Copy the filter below
What is this?
It's a web page that lets you create capture filters that match strings in TCP payloads.
What does it do?
It takes the string you enter, splits it into 1, 2, or 4 byte chunks, converts them to numbers, and creates a capture filter that matches those numbers at the offset you provide.
It should handle most UTF-8 characters but this hasn't been tested.
What is it good for?
You can use it to filter things like top-level HTTP requests ("GET / HTTP/1."), HTTP responses ("HTTP/1."), POP3 logins ("USER"), and lots of other things.
What is it NOT good for?
Matching strings at arbitrary locations. You can't do that with capture filters (BPF doesn't support it) You need to use the "matches" or "contains" display filter operators instead. You'll have to use the "matches" display filter operator for case insensitive matching as well.
What's up with all of the fancy bit-twiddling in the TCP header?
It makes sure we skip over any TCP options that might be present. See Sake's explanation for more details.
Shouldn't this sort of thing be built into Wireshark?
Free 30 day trial
- Save hours on network and application issue diagnoses
- Monitor physical and virtual environments
- GUI packet capture and analysis
- Fully integrated with Wireshark
- WLAN packet capture and transmission
- Full 802.11 a/b/g/n support
- View management, control and data frames
- Multi-channel aggregation (with multiple adapters)