First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What filter can I use to display a frame with a particular string in a particular field?

  • retag add tags

I watched a video on the internet, and captured the network trace. Inspecting the decrypted packets exported to a text file, I discovered the frame 909 as having the HLS chunk 0018.ts. Wireshark visualizes that frame in this way:
No. .Source... Destination.................................Protocol Length
909 10.0.2.15 d105emv5h26k8d.cloudfront.net HTTP2 433

Info
HEADERS[15]: GET /paessler/segment/f3922ee967ed449e8d56f9e7c98578ab/hls/1645113192470/f3922ee967ed449e8d56f9e7c98578ab-hls_00018.ts, WINDOW_UPDATE[15]

Not knowing the frame number, what can be a suitable filter to display that unique frame? I tried (http2 contains "18.ts"), and also other parts of the file name, for example (http2 contains "/segment/f392"), with no result.
Can you help please?
Thanks and Regards

pippuzzo's avatar
1
pippuzzo
asked 2023-02-25 16:29:40 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2023-02-26 06:07:10 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

For the sample file (http2-h2c.pcap) on the Wireshark wiki HTTP2 page:

http2.headers.path contains "human"

http2.header.value contains "human"
Chuckc's avatar
3k
Chuckc
answered 2023-02-25 16:42:32 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Good suggestion. I tried it, but it is not accepted, it remains in red. Luckily in the meanwhile a popup help appeared, suggesting "http2.request.full_uri". This in turn works, with the modifier contains etc Great!

pippuzzo's avatar pippuzzo (2023-02-25 17:15:51 +0000) edit
more
  • delete

So, in the end, a good filter is

http2.request.full_uri contains "whatever"

pippuzzo's avatar pippuzzo (2023-02-25 17:18:46 +0000) edit
more
  • delete

What version of Wireshark are you running?
Those http2 fields have been around at least since 2.6.0.

Chuckc's avatar Chuckc (2023-02-25 21:46:30 +0000) edit
more
  • delete

Wireshark 4.0.0 64 bit on Windows 10

pippuzzo's avatar pippuzzo (2023-02-26 17:37:08 +0000) edit
more
  • delete

I tested also the previous two suggestions:
-http2.headers.path contains "xyz"
-http2.header.value contains "xyz"
and indeed both are good and work. The first one can accept only the trailing part, beginning with "/paessler". The second one, even better, can accept parts of the destination server name, OR the method ("GET" in this case), OR the trailing part.
So, our arsenal of filters is enriched with three "guns".
Thanks

pippuzzo's avatar pippuzzo (2023-02-26 19:14:11 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer