WireShark (Win32) - Possible to search for ascii string in packets?

I have a large collection of packets i've been sniffing... the issue is there is a lot of data from various connections, etc.

I wanted to find out if it was possible to search the actual packet collection data for packets that match a specific ascii string using the filter

for example filter tcp.port eq 80 would show only packets that were sent/received on port 80... i want to show only packets that contain a specific ascii (or hex) string

mcaincAsked:
Who is Participating?
 
moorhouselondonCommented:
There are examples here to capture only packets containing certain text strings

http://wiki.wireshark.org/DisplayFilters
0
 
moorhouselondonCommented:
I would say that it is better to setup  a filter without this criteria, but when you have saved the log somewhere, then look for strings.  The reason being that the string may be split between different packets, so if you were searching for "hello world", "hello" might be in one packet "world" would be in another - packets don't treat spaces as delimiters, so it could be "hell" in one packet "o world" in another.  
0
 
mcaincAuthor Commented:
the particular project i'm working on has very small packets, nothing is broken up... is this possible in the actual win32 gui or would i have to parse the .pcap file?
0
 
moorhouselondonCommented:
I setup a filter using the TCP only filter, then started capture.  I then logged into my webmail app, stopped Wireshark capturing.  In the displayed capture log, I went into Edit, Find, selected the string radio button, and searched for my password, which it found in the log.

If you wanted to capture only packets meeting the search criteria then you would have to define a custom capture filter - is this what you are trying to do?  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.