Wireshark-users: Re: [Wireshark-users] Display Filter for text string in TCP payload
Date: Wed, 09 Apr 2008 09:28:29 -0400
Guy Harris wrote:
Feeny, Michael (GWM-CAI) wrote:
Both 'tcp contains "text"' and 'frame contains "text"' *do* work.

My mistake was that it didn't dawn on me that the filters are CASE
SENSITIVE (which makes sense now that I think about it).  When I had
successfully used Edit/Find, the Case Sensitive checkbox was off, so it
succeeded where the filter had not.

As far as I know, we don't have a case-insensitive version of the "contains" operator.

Perhaps your mail is an indication that we should.

"icontains" could be a pre-defined subset of "matches" eg:

frame icontains "PASS"

would be the same as:

frame matches "[Pp][Aa][Ss][Ss]"

Obviously, my ability to speak regex is not so good, I'm sure there's a more efficient way to write it. ;-)

Jason.