This is our old Q&A Site. Please post any new questions and answers at

I've just noticed the following while playing with a wireshark trace: http contains "\x89\x50\x4E\x47" finds the correct packet with png signature in the http content. On the contrary, a CTRL + F for Find, then selecting the HEX options and typing 89 50 4E 47 (no case sensitive), only finds a different packet with that hex sequence in the tcp segment data. Basically, it finds the sequence in a TCP packet but seems to ignore packets categorized as HTTP and the http content. By any chance, do you know if it's a bug or by design in wireshark?

Thank you

asked 06 Mar '15, 09:10

halfluke's gravatar image

accept rate: 0%

Did you verify that it does not highlight the TCP segment that contains a part of the HTTP payload that is later reassembled so as to be decoded by the HTTP dissector? If you could share the pcap file, it would allow to verify this hypothesis.

(06 Mar '15, 22:28) Pascal Quantin

sorry I've just seen your reply. I cannot find the trace where I experienced that behaviour. I have a new one now and the Find seems to be able to find both in "tcp" and "http" packets. I will try to reproduce as soon as I have some time But thank you!

(18 Mar '15, 10:39) halfluke
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 06 Mar '15, 09:10

question was seen: 3,099 times

last updated: 18 Mar '15, 10:39

p​o​w​e​r​e​d by O​S​Q​A