Wireshark-users: Re: [Wireshark-users] Wireshark filter "contains" question

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 21 Jul 2010 12:34:50 -0700
On Jul 21, 2010, at 12:29 PM, George Vandelet wrote:

> I have rececently found the "contains" filter in wireshark which is VERY powerful.  For instance, if I only want to see http packets that contain the string "SOAP" I could used the filter "http contains SOAP".  However, if I wish to use the filter to show http packts that DONT contain the string SOAP, I can not do it!  I have tried using the following without success.
>  http contains !(SOAP)
>  http contains !SOAP
>  http !contains SOAP 
>  
>  Does anyone know a way to  negate the "contains" filter?

As Gerald Combs said the previous time you asked this question, the way you negate a "contains" filter - and it works for *any* filter - is to say "not" in front of it:

	not http contains "SOAP"

although that will match all packets that don't have "SOAP" in the HTTP part, including packets that don't have it in the HTTP part because they *have* no HTTP part because, for example, they're not HTTP packets.

Therefore, to see all HTTP packets that don't contain "SOAP", do

	http and not http contains "SOAP"

As Gerald also said, at least if your version of Wireshark includes support for "matches", you can do

	http and not http matches "(?i)soap"

which does case-insensitive matching (so it also filters out "soap" and "SoAp" and "sOAp" and...).