String-Matching Capture Filter Generator

1. Enter the string you want to match

2. Enter the offset from the start of the TCP data

3. Copy the filter below

What is this?

It's a web page that lets you create capture filters that match strings in TCP payloads.

What does it do?

It takes the string you enter, splits it into 1, 2, or 4 byte chunks, converts them to numbers, and creates a capture filter that matches those numbers at the offset you provide.

It should handle most UTF-8 characters but this hasn't been tested.

What is it good for?

You can use it to filter things like top-level HTTP requests ("GET / HTTP/1."), HTTP responses ("HTTP/1."), POP3 logins ("USER"), and lots of other things.

What is it NOT good for?

Matching strings at arbitrary locations. You can't do that with capture filters (BPF doesn't support it) You need to use the "matches" or "contains" display filter operators instead. You'll have to use the "matches" display filter operator for case insensitive matching as well.

What's up with all of the fancy bit-twiddling in the TCP header?

It makes sure we skip over any TCP options that might be present. See Sake's explanation for more details.

Shouldn't this sort of thing be built into Wireshark?


Enhance Wireshark

Riverbed is Wireshark's primary sponsor and provides our funding. They also make great products.

Troubleshoot your Network

Free 30 day trial

Free 30 day trial

  • Save hours on network and application issue diagnoses
  • Monitor physical and virtual environments
  • GUI packet capture and analysis
  • Fully integrated with Wireshark

Try Cascade Shark VE & Cascade Pilot Free for 30 Days

802.11 Packet Capture

Riverbed AirPcap
  • WLAN packet capture and transmission
  • Full 802.11 a/b/g/n support
  • View management, control and data frames
  • Multi-channel aggregation (with multiple adapters)

Learn More

Buy Now

Packet Analysis Made Easy

    Cascade Pilot Personal Edition graphs
  • Visually rich, powerful LAN analyzer
  • Quickly access very large pcap files
  • Professional, customizable reports
  • Advanced triggers and alerts
  • Fully integrated with Wireshark

Try Cascade Pilot PE FREE for 10 days

Buy Now