This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Searching/Filtering Comments on packets in Pcap ng file

0

I have added a few comments on a packet capture file in the Pcap NG format. Is there a way to filter/search for these comments?

Thanks, Brian

asked 29 Nov '12, 06:46

brwiese's gravatar image

brwiese
26111211
accept rate: 50%

3 Answers:

1

The best way in Wireshark is to use a display filter like this one:

pkt_comment contains "searchString"

If you prefer command line then I'd recommend tshark + grep:

tshark -r dump.pcapng -T fields -e pkt_comment -R pkt_comment | grep SearchString

Please see the blog post HowTo handle PcapNG files for more details.

answered 06 Dec '12, 05:05

Netresec's gravatar image

Netresec
162
accept rate: 0%

edited 06 Dec '12, 05:07

0

You can use the search function.

Edit -> Find Packet

Select these options:

  • String
  • packet details

The other option is a Display Filter:

frame.comment contains "Your string"

Regards
Kurt

answered 29 Nov '12, 06:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 29 Nov '12, 06:54

Or use the filter "pkt_comment" or "frame.comment" or "frame.comment=="My comment".

The last one may be tricky as I think it includes \a \n etc.

(29 Nov '12, 07:07) Anders ♦

Or add a custom column with the "frame.comment" setting as column value. This might not be useful for large file with only a few scattered comments though.

(29 Nov '12, 09:13) Jasper ♦♦

0

I found pkt_comment contains "searchString" does not work, but frame.comment contains "Your string" works.

Not know why.

The wireshark version is Version 1.12.3 (v1.12.3-0-gbb3e9a0 from master-1.12).

answered 09 Mar '15, 01:33

yuguang's gravatar image

yuguang
1
accept rate: 0%