This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have added a few comments on a packet capture file in the Pcap NG format. Is there a way to filter/search for these comments?

Thanks, Brian

asked 29 Nov '12, 06:46

brwiese's gravatar image

brwiese
26111211
accept rate: 50%


The best way in Wireshark is to use a display filter like this one:

pkt_comment contains "searchString"

If you prefer command line then I'd recommend tshark + grep:

tshark -r dump.pcapng -T fields -e pkt_comment -R pkt_comment | grep SearchString

Please see the blog post HowTo handle PcapNG files for more details.

permanent link

answered 06 Dec '12, 05:05

Netresec's gravatar image

Netresec
162
accept rate: 0%

edited 06 Dec '12, 05:07

You can use the search function.

Edit -> Find Packet

Select these options:

  • String
  • packet details

The other option is a Display Filter:

frame.comment contains "Your string"

Regards
Kurt

permanent link

answered 29 Nov '12, 06:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 29 Nov '12, 06:54

Or use the filter "pkt_comment" or "frame.comment" or "frame.comment=="My comment".

The last one may be tricky as I think it includes \a \n etc.

(29 Nov '12, 07:07) Anders ♦

Or add a custom column with the "frame.comment" setting as column value. This might not be useful for large file with only a few scattered comments though.

(29 Nov '12, 09:13) Jasper ♦♦

I found pkt_comment contains "searchString" does not work, but frame.comment contains "Your string" works.

Not know why.

The wireshark version is Version 1.12.3 (v1.12.3-0-gbb3e9a0 from master-1.12).

permanent link

answered 09 Mar '15, 01:33

yuguang's gravatar image

yuguang
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×238
×5
×1

question asked: 29 Nov '12, 06:46

question was seen: 16,374 times

last updated: 09 Mar '15, 01:33

p​o​w​e​r​e​d by O​S​Q​A