This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Searching for a Packet Sequence

0

Is there an efficient way in Wireshark to search for a particular packet sequence in a capture file? For example, I want to search for a sequence of three consecutive packets, where: packet 1 is a first particular type of packet, packet 2 is a second particular type of packet, and packet 3 is a third particular type of packet.

asked 31 May '12, 08:57

Kali's gravatar image

Kali
6112
accept rate: 0%


One Answer:

0

You cannot search for a "sequence", but you can combine display filters with or to get almost the same result.

dns.qry.name contains "facebook.com" or (http.request and http.host contains "facebook.com") or (icmp and ip.addr eq 69.171.242.11)

This will show:

  1. the dns request to *.facebook.com
  2. then the HTTP Request to that site
  3. and then a ping to one IP address of facbook

That's the only way of doing it, without Lua. If you tell us a bit more about your usecase (pattern to match), we might be able to give more detailed "instructions".

With Lua, you can create a Listener and look for whatever criteria you are interested. However that requires programming skills or somebody to do it for you.

http://www.wireshark.org/docs/wsug_html_chunked/wsluarm.html

Regards
Kurt

answered 31 May '12, 09:27

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 31 May '12, 09:34

Thanks much for the response, Kurt. Maybe Lua is the answer. In particular, I am looking for an efficient way to search a huge wlan capture file for the following packet sequence: 1) Beacon packet with non-zero TIM; 2) Null Function packet with PM bit clear; 3) ACK; 4) Data packet; 5) ACK.

(31 May '12, 10:16) Kali

O.K. is one criteria the order of the packets, meaning: do they have to appear in the order to be a valid match? If so, Lua is one way to do it. However, it requires some programming skills to write that script. Another way would be tshark with a display filter that matches all of those conditions (like my facebook example) and some script (Perl, bash, ) to filter out only those packets that appear in the defined order.

(31 May '12, 10:30) Kurt Knochner ♦