I have a UNIX server that has two network interfaces, once for incoming traffic and one for outgoing traffic. I can a SNOOP on each interface as audio-content was sent through my server. Afterwards, I can analyze my SNOOPs and 'follow TCP stream' to find the exact audio files, proving they went in and out of my server. However, I need to compare the size of the files to ensure that my server didn't strip the files, sending out an empty 'shell'. The only way I can think of finding the size of the packets is to look at the MAIN view in Wireshark and click packet-by-packet until I see something relating to my audio files in the lower preview window. My SNOOP has 1000+ lines - is there an easier way to locate the exact raw packet for my audio data (to determine it's size) by searching on a phrase within the packet's content? asked 30 Aug '14, 07:15  guiltyspark232 |
2 Answers:
I may have misunderstood the question but it sounds like you need to do a Find (Ctl-F) with:
Best regards...Paul answered 30 Aug '14, 14:16  PaulOfford |
You can try the following display filter
Regards answered 31 Aug '14, 04:24  Kurt Knochner ♦ |
Thank you, that's the answer, I wasn't looking closely at the FIND feature. When I use this feature, it finds the first packet in the packet list with my phrase in the TCP stream; how can I move to the next packet it's found? I notice the FIND window disappears when viewing the first result.
Find Next (Ctrl + N).
There's also Find Previous (Ctrl + B)
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.