Draft in progress. More content will be added here.
Display filters allow you to use Wireshark’s powerful multi-pass packet processing capabilities.
Sometimes you want to search packet data and a display filter won’t cut it.
matches will search with a regex while contains searches for exact byte sequences.
int.You’re looking for an HTTP GET that contains a request for a URL that
starts with ‘http’ or ‘https’, has the Russian ‘.ru’ domain, and contains the word ‘worm’ in the query string.
Luckily, Wireshark gives you matches which uses PCRE regex syntax.
A simple one that satisfies this is https?.*?\.ru.*?worm. If this seems like greek, you can explore it on regex101.
Given that this is GET, it’s better to just search the ‘http’ protocol: http matches "https?.*?\.ru.*?worm"
Note that the regex is double quoted. With tshark, -Y "display filter" also needs to be double-quoted.
In order to use this display filter, escape the inner quotes:
tshark -r $file -Y "frame matches \"https?.*?\.ru.*?worm\""You cannot use the null character,\x00 when using matches because Wireshark uses null-terminated C-strings.
Use [^\x01-\xff] instead.
contains searches the text representation of a field.
If you’re looking for any frames that match an OUI ‘00:16:e3’,
there are a couple ways of doing this.
# These are all equivalent
tshark -r $file -Y "eth.addr contains 00:16:e3"
tshark -r $file -Y "eth.addr[0:3] == 00:16:e3"
tshark -r $file -Y "eth.addr matches \"^[^\x01-\xff]\x16\xe3\""This will be a long list as this is the meat of what Wireshark does.