As with any fields that appear in the Wireshark packet display, the easiest way to create a matching (or similar) filter is to select the field, right-click and select Apply As Filter:Selected. This will then create a filter exactly matching that field. In a trace file I had that also had a Proxy Authentication Required message, I got the following filter:-
expert.message == "HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )\\r\\n"
However as you can see that is very specific to the text message for that particular response. The filter meant that it didn't show up another similar response, which if I filter on it, gives:-
expert.message == "HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )\\r\\n"
So a better filter that matches both cases would be:-
'expert.message contains "HTTP/1.1 407 Proxy Authentication Required"'or maybe even 'expert.message contains "HTTP/1.1 407"'in case the proxy uses different a different text lnaguage
Of course rather relying on the "expert" you might even better using just the http decode :-
http.response.code == 407
Regards, Martin
