filtering by domain

networking filter wireshark pcap tshark
Eray Balkanli picture Eray Balkanli · Feb 26, 2014 · Viewed 30.9k times · Source

I want to filter my pcap file by their domains. I mean, I want to see the packets comes on a website ends with ".com", ".org" or ".net".

I tried: dns contains "com", ip.src_host == com, ip.src_host == com, http contains "com". None of them worked correctly.

Answer

Thaddeus Albers picture Thaddeus Albers · Feb 26, 2014

Assuming it's http web traffic, try http.host contains ".com"

Better yet, try http.host matches "\.com$"

Neither one will require DNS resolution since they search on the web host.

From http://wiki.wireshark.org/DisplayFilters 

The matches operator makes it possible to search for text in string fields 
and byte sequences using a regular expression, using Perl regular expression 
syntax. Note: Wireshark needs to be built with libpcre in order to be able to 
use the matches operator.

Related questions

How do I Use AutoCompleteTextView and populate it with data from a web API?

I want to use an AutoCompleteTextView in my activity and populate the data as the user types by querying a web API. How do I go about doing this? Do I create a new class and override AutoCompleteTextView.performFiltering, or …

Read More
Mitmproxy url filter

I am using mitmproxy on Mac. I want to filter traffic by specifyc URL. The "intercept" function allows me to pause communication whenever filtered url is noticed. My question is - how can I filter traffic without pausing communication? I …

Read More
How can you find out which process is listening on a port on Windows?

How can you find out which process is listening on a port on Windows?

Read More