First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How can I search within data, specifically in the TCP segment data?

I've completed the original task I started out trying to accomplish (dissecting four customer captures, looking for one particular packet in each one), but I'm trying to learn from the experience and understand if there's a more effective way of filtering packets. I was looking for a specific string that appears in the TCP segment data. When I Googled, I found a search field for data-text-lines but this does NOT return the packet I'm trying to find, and I can't tell where in the packet that field actually searches for. But it was not what I needed.

So I'm trying to figure out if there's a way of searching in that specific field. If I start by typing "tcp" into the filter field, it shows a few options (tcp.port, tcpcl, tcpencap, and tcpros), but none of them look like they would apply, nor does <filtername> contains "data_string"> return the one packet with the correct string I need.

Anybody have any suggestions on how to accomplish this?

jmeg8237's avatar
1
jmeg8237
asked 2019-10-18 21:56:40 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

https://ask.wireshark.org/question/11...
"For TCP, there is the field tcp.payload which is the TCP segment (payload) of the packet, regardless of the upper layer protocol." - SYN-bit
https://www.wireshark.org/docs/man-pa...
Also possible to search the entire frame - frame contains "http"

And in the Wireshark GUI, select Edit->Find Packet ....
Change Display Filter to String or Regular Expression, then change Packet List to Packet Bytes.

Chuckc's avatar
3k
Chuckc
answered 2019-10-18 23:31:41 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks, I'll give that a try.

jmeg8237's avatar jmeg8237 (2019-10-19 04:52:48 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer