Was searching for a string that span over two TCP data packets, it doesn't find it. My Wireshark is 1.10.6. Thanks. asked 28 Dec '15, 07:06  pktUser1001 |
2 Answers:
So in this case you have to enable reassembling of the After that you can use the search dialog shown at the question. Than it should show you the string in the reassembled byte view. As you can see in the second screenshot. Screenshot 1:
answered 28 Dec '15, 16:00  Christian_R Thanks @Christian_R, the key is to select the radio button "Packet details". I used "Packet bytes" which didn't work in this case. Wonder if there are reference on exactly what is "Packet details", does it mean the reassembled TCP data? (28 Dec '15, 18:38) pktUser1001 |
Do you know tcp ip address? If yes then right click on any packet in same sequence -> Follow TCP Stream. In opened new window you can find a string if it exist in particular dump. answered 28 Dec '15, 08:31  Vladimir Rõk... Thanks @vladimir-rokovanov. Unfortunately I don't know IP address. Even in the case of knowing the session, finding the occurrence of follow TCP stream will not tell me what packets have these string. Any ideas? (28 Dec '15, 09:24) pktUser1001 You can try search one part of the string and then follow this tcp stream. (28 Dec '15, 10:34) Vladimir Rõk... That could be a workaround, albeit tedious when the string is long. Thanks for the idea. Hope there is a clean method. (28 Dec '15, 11:56) pktUser1001 |
Do you have an example trace for us?
Thanks @christian_r, here is an example pcap: https://www.dropbox.com/s/5gbpbea0rzxr3c2/http1.pcap?dl=0