WEBVTT 00:00.120 --> 00:08.470 In this lecture, we are going to take a look at the two special operators contains and matches. 00:08.580 --> 00:18.810 So let's start with the contains operator contains allows us to search our filter packets based on a 00:18.810 --> 00:22.890 word or phrase that you supply to it. 00:23.160 --> 00:34.020 Let's say you want to display all the packets that contain the word log in right now here we can use 00:34.020 --> 00:36.210 the contains operator. 00:36.210 --> 00:44.490 So type TCP contains and type the word that you want to search. 00:44.760 --> 00:46.440 I'm going to type log in. 00:46.440 --> 00:57.150 Now, this filter is going to display all the TCP packets that contain the word log in. 00:57.150 --> 01:07.710 So if I press enter now, Wireshark has listed all the packets that contain the word in. 01:07.740 --> 01:11.040 As you can see in the first packet, we have a word. 01:11.040 --> 01:13.740 Log in right here, log into our PCB. 01:13.740 --> 01:22.320 But in the second packet user info dot PHP, it doesn't seem to contain the word log in, but the word 01:22.320 --> 01:26.460 log in is present somewhere in the this packet. 01:26.460 --> 01:34.650 So let me expand the hypertext transfer protocol and the word login should be somewhere here. 01:34.650 --> 01:38.740 As you can see down here, we have the word log in dot p b. 01:38.820 --> 01:43.560 So why is all the packets that Wireshark has listed here? 01:43.560 --> 01:47.280 They contain the word log in somewhere. 01:47.280 --> 01:49.710 We can use UDP as well. 01:49.740 --> 01:52.890 So replace TCP with UDP. 01:52.890 --> 01:58.470 And this time I'm going to search for, let's say NY City Press enter. 01:58.470 --> 02:08.970 Now Wireshark is displaying the UDP packets that contain the word and wide and contains operator can 02:08.970 --> 02:12.900 be used with many other protocols as well. 02:13.110 --> 02:15.360 For example, let's say search. 02:15.360 --> 02:27.420 Now as you can see, it is a valid filter in the same way you can use with FTP or DNS, DHCP and ARP 02:27.450 --> 02:27.820 ADC. 02:27.930 --> 02:28.500 Right. 02:31.360 --> 02:35.200 The matches operator is similar to contains. 02:35.320 --> 02:39.490 It works very much like the way contains works. 02:39.520 --> 02:45.310 So here if I replace the contains operator with matches. 02:46.370 --> 02:53.990 Now if I press enter as you can see guys, it has produced the similar result as the contains. 02:54.260 --> 03:03.620 Right now the matches operator offers some additional features which are absent in the contains operator 03:03.620 --> 03:04.280 matches. 03:04.280 --> 03:09.410 Operator was developed to overcome the limitations of contains. 03:09.440 --> 03:19.010 The main limitation of contains operator is that you can only search for one word or phrase at a time. 03:19.010 --> 03:26.960 You can't search for multiple phrases with a single contains operator, whereas matches operator allows 03:26.960 --> 03:31.220 us to search for multiple phrases at once. 03:31.700 --> 03:38.030 You can give a group of phrases to it, then it will search those for you. 03:38.300 --> 03:47.390 Let's say I want to display all the packets that contain the word login or success. 03:47.390 --> 03:49.340 Then here we can use matches. 03:49.340 --> 03:59.060 Operator So within the double quotes and parenthesis, write the phrases that you want to search for. 03:59.090 --> 04:01.220 Let's say log in now. 04:01.220 --> 04:05.030 Separate your phrases with the piper. 04:07.240 --> 04:08.380 Press enter. 04:08.410 --> 04:17.800 Now, Wireshark has listed all the packets that contain either login or successor. 04:17.800 --> 04:25.120 So here, as you can see, all these packets contain either login or success in them. 04:25.150 --> 04:26.260 Let me scroll down. 04:26.260 --> 04:30.370 As you can see, guys, here we have the word success, right? 04:30.370 --> 04:38.050 So with matches, operator, you can search for as many phrases as you like. 04:38.080 --> 04:41.830 Just separate your phrases with a pipe. 04:42.960 --> 04:48.690 And just like containers, you can use matches with other protocols as well. 04:48.720 --> 04:59.860 For example, UDP, let me replace log in with an ID and search or HTTP TLS ADC. 04:59.880 --> 05:00.450 Right. 05:00.840 --> 05:09.500 Another feature that it offers is a you can use Perl based regular expressions with matches. 05:09.510 --> 05:10.320 Operator. 05:10.350 --> 05:14.490 We will cover regular expressions in another lecture. 05:14.520 --> 05:15.290 Thank you, guys. 05:15.300 --> 05:16.890 I'll see you in the next video.