I have added a few comments on a packet capture file in the Pcap NG format. Is there a way to filter/search for these comments? Thanks, Brian asked 29 Nov '12, 06:46 brwiese |
3 Answers:
The best way in Wireshark is to use a display filter like this one:
If you prefer command line then I'd recommend tshark + grep:
Please see the blog post HowTo handle PcapNG files for more details. answered 06 Dec '12, 05:05 Netresec edited 06 Dec '12, 05:07 |
You can use the search function.
Select these options:
The other option is a Display Filter:
Regards answered 29 Nov '12, 06:52 Kurt Knochner ♦ edited 29 Nov '12, 06:54 |
I found pkt_comment contains "searchString" does not work, but frame.comment contains "Your string" works. Not know why. The wireshark version is Version 1.12.3 (v1.12.3-0-gbb3e9a0 from master-1.12). answered 09 Mar '15, 01:33 yuguang |
Or use the filter "pkt_comment" or "frame.comment" or "frame.comment=="My comment".
The last one may be tricky as I think it includes \a \n etc.
Or add a custom column with the "frame.comment" setting as column value. This might not be useful for large file with only a few scattered comments though.