Official certification from the Wireshark Foundation is available! Learn about becoming a Wireshark Certified Analyst.

String-Matching Capture Filter Generator

1. Enter the string you want to match

2. Enter the offset from the start of the TCP data

3. Copy the filter below

What is this?

It's a web page that lets you create capture filters that match strings in TCP payloads.

What does it do?

It takes the string you enter, splits it into 1, 2, or 4 byte chunks, converts them to numbers, and creates a capture filter that matches those numbers at the offset you provide.

It should handle most UTF-8 characters but this hasn't been tested.

What is it good for?

You can use it to filter things like top-level HTTP requests ("GET / HTTP/1."), HTTP responses ("HTTP/1."), POP3 logins ("USER"), and lots of other things.

What is it NOT good for?

Matching strings at arbitrary locations. You can't do that with capture filters (BPF doesn't support it) You need to use the "matches" or "contains" display filter operators instead. You'll have to use the "matches" display filter operator for case insensitive matching as well.

What's up with all of the fancy bit-twiddling in the TCP header?

It makes sure we skip over any TCP options that might be present. See Sake's explanation for more details.

Shouldn't this sort of thing be built into Wireshark?

Probably.