ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] display filter for HTTP-ExpertInfo0Message?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Greg Hauptmann <greg.hauptmann.ruby@xxxxxxxxx>
Date: Wed, 18 Aug 2010 16:16:44 +1000
excellent - thanks Martin

On 18 August 2010 12:05, Martin Visser <martinvisser99@xxxxxxxxx> wrote:
> As with any fields that appear in the Wireshark packet display, the easiest
> way to create a matching (or similar) filter is to select the field,
> right-click and select Apply As Filter:Selected. This will then create a
> filter exactly matching that field. In a trace file I had that also had a
> Proxy Authentication Required message, I got the following filter:-
> expert.message == "HTTP/1.1 407 Proxy Authentication Required ( The ISA
> Server requires authorization to fulfill the request. Access to the Web
> Proxy filter is denied.  )\\r\\n"
> However as you can see that is very specific to the text message for that
> particular response. The filter meant that it didn't show up another similar
> response, which if I filter on it, gives:-
> expert.message == "HTTP/1.1 407 Proxy Authentication Required ( Access is
> denied.  )\\r\\n"
> So a better filter that matches both cases would be:-
> 'expert.message contains "HTTP/1.1 407 Proxy Authentication Required"'or
> maybe even 'expert.message contains "HTTP/1.1 407"'in case the proxy uses
> different a different text lnaguage
> Of course rather relying on the "expert" you might even better using just
> the http decode :-
> http.response.code == 407
> Regards, Martin
>
>
>
> Regards, Martin
>
> MartinVisser99@xxxxxxxxx
>
>
> On Wed, Aug 18, 2010 at 11:02 AM, Greg Hauptmann
> <greg.hauptmann.ruby@xxxxxxxxx> wrote:
>>
>> Hi,
>>
>> Anyone know what the display filter syntax would be to filter on the
>> the contents of the HTTP/ExpertInfo/Message would be?   e.g. filter
>> that is equivalent to "HTTP/ExpertInfo/Message  contains "Proxy
>> Authentication Required""
>>
>> thanks
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>



-- 
Greg
http://blog.gregnet.org/
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube