Is there an efficient way in Wireshark to search for a particular packet sequence in a capture file? For example, I want to search for a sequence of three consecutive packets, where: packet 1 is a first particular type of packet, packet 2 is a second particular type of packet, and packet 3 is a third particular type of packet. asked 31 May '12, 08:57  Kali |
One Answer:
You cannot search for a "sequence", but you can combine display filters with or to get almost the same result.
This will show:
That's the only way of doing it, without Lua. If you tell us a bit more about your usecase (pattern to match), we might be able to give more detailed "instructions". With Lua, you can create a Listener and look for whatever criteria you are interested. However that requires programming skills or somebody to do it for you.
Regards answered 31 May '12, 09:27  Kurt Knochner ♦ edited 31 May '12, 09:34 |
Thanks much for the response, Kurt. Maybe Lua is the answer. In particular, I am looking for an efficient way to search a huge wlan capture file for the following packet sequence: 1) Beacon packet with non-zero TIM; 2) Null Function packet with PM bit clear; 3) ACK; 4) Data packet; 5) ACK.
O.K. is one criteria the order of the packets, meaning: do they have to appear in the order to be a valid match? If so, Lua is one way to do it. However, it requires some programming skills to write that script. Another way would be tshark with a display filter that matches all of those conditions (like my facebook example) and some script (Perl, bash, ) to filter out only those packets that appear in the defined order.