• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4139
  • Last Modified:

WireShark (Win32) - Possible to search for ascii string in packets?

I have a large collection of packets i've been sniffing... the issue is there is a lot of data from various connections, etc.

I wanted to find out if it was possible to search the actual packet collection data for packets that match a specific ascii string using the filter

for example filter tcp.port eq 80 would show only packets that were sent/received on port 80... i want to show only packets that contain a specific ascii (or hex) string

0
mcainc
Asked:
mcainc
  • 3
1 Solution
 
moorhouselondonCommented:
I would say that it is better to setup  a filter without this criteria, but when you have saved the log somewhere, then look for strings.  The reason being that the string may be split between different packets, so if you were searching for "hello world", "hello" might be in one packet "world" would be in another - packets don't treat spaces as delimiters, so it could be "hell" in one packet "o world" in another.  
0
 
mcaincAuthor Commented:
the particular project i'm working on has very small packets, nothing is broken up... is this possible in the actual win32 gui or would i have to parse the .pcap file?
0
 
moorhouselondonCommented:
I setup a filter using the TCP only filter, then started capture.  I then logged into my webmail app, stopped Wireshark capturing.  In the displayed capture log, I went into Edit, Find, selected the string radio button, and searched for my password, which it found in the log.

If you wanted to capture only packets meeting the search criteria then you would have to define a custom capture filter - is this what you are trying to do?  
0
 
moorhouselondonCommented:
There are examples here to capture only packets containing certain text strings

http://wiki.wireshark.org/DisplayFilters
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now