This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

limit search to within one particular packet

Hi, I know how to use a filter to find particular packets.

But what if I just want to find something within a particular packet?

For example, I have a packet with lots of measurements. Each measurement is a tree item. I want to see if one particular measurement (say id "mea20004") occurs more than once. I can painstakingly visually going through the entire tree and find all the items with that id, or is there a way I can use keyboard combo or filter to search for it?

limited search one packet to

asked 22 Apr '14, 09:59

YXI
21●18●20●23
accept rate: 0%

I saw a way to do this in Wireshark, but it's not working all correctly. In Edit->Find Packet, you can choose By String, and Search in Packet details.
Good news is it finds the first occurrence of my measurement. However, then no matter what you do, either find next, find previous, direction up, or down, it keeps locating the first occurrence, not the next ones.
Is this a bug?

(23 Apr '14, 08:24) YXI

OK, find next will find the string in the next packet, not the second time the string occurs in the same packet. That's not what I need then.

(23 Apr '14, 08:51) YXI

what is your protocol and is this you own (custom) dissector?

(23 Apr '14, 11:42) Kurt Knochner ♦

Yes, it is my own dissector in Lua.

(24 Apr '14, 07:15) YXI

2 Answers:

Command line, GNU grep, and tshark e.g.

tshark -r file.pcap -R "frame.number == X" | grep -wc mea20004

where X is the frame number. This should work on all UN*Xes that have a grep command that supports -w and -c, such as GNU grep, and may work on Windows if you have a version of grep like that available.

answered 22 Apr '14, 13:41

Roland
764●2●4●15
accept rate: 13%

edited 24 Apr '14, 15:56

Guy Harris ♦♦
17.4k●3●35●196

Hi, Thanks so much.
I modified the command. The main thing is the -V option. Have to have that.

tshark -r myCaputre.pcap -Y "frame.number==49" -V |grep -n mea20004

142: Values for MeasurementID: mea20004

175: Values for MeasurementID: mea20004

This is helpful, but I really want a solution using Wireshark instead of tshark. The reason is I would like to see where the two occurrences are in the full tree. Just knowing line numbers is not very intuitive.

Is there a way to do this inside Wireshark?

(23 Apr '14, 08:09) YXI

or is there a way I can use keyboard combo or filter to search for it?

No.

The ability to search within a packet, separate from the ability to search within the list of packets, would probably be a useful new feature. You should probably file this as an enhancement request on the Wireshark bugzilla; the Q&A site is probably not the best place to discuss the details of a requested new feature.

answered 24 Apr '14, 15:45

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%