20

I want to filter my pcap file by their domains. I mean, I want to see the packets comes on a website ends with ".com", ".org" or ".net".

I tried: dns contains "com", ip.src_host == com, ip.src_host == com, http contains "com". None of them worked correctly.

Filburt
  • 17,626
  • 12
  • 64
  • 115
Eray Balkanli
  • 7,752
  • 11
  • 48
  • 82
  • Are these saved capture files your are trying to filter or running capture files? from http://www.wireshark.org/docs/wsug_html_chunked/ChAdvNameResolutionSection.html The resolved names are not stored in the capture file or somewhere else. Resolved DNS names are cached by Wireshark. – Thaddeus Albers Feb 26 '14 at 00:20
  • They are already captured files. Thank you for ur answer Thaddeus. – Eray Balkanli Feb 26 '14 at 14:09

1 Answers1

23

Assuming it's http web traffic, try http.host contains ".com"

Better yet, try http.host matches "\.com$"

Neither one will require DNS resolution since they search on the web host.

From http://wiki.wireshark.org/DisplayFilters 

The matches operator makes it possible to search for text in string fields 
and byte sequences using a regular expression, using Perl regular expression 
syntax. Note: Wireshark needs to be built with libpcre in order to be able to 
use the matches operator.
Thaddeus Albers
  • 4,094
  • 5
  • 32
  • 42
  • 1
    May I ask, when I write "http" as filter, I cant see any packet. However, when I write "tcp.port == 80", i can see many packet. Do u think why it happens like that? – Eray Balkanli Feb 26 '14 at 14:08