Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




6.8. Finding packets

You can easily find packets once you have captured some packets or have read in a previously saved capture file. Simply select the Find Packet... menu item from the Edit menu. Wireshark will pop up the dialog box shown in Figure 6.8, “The "Find Packet" dialog box”.

6.8.1. The "Find Packet" dialog box

Figure 6.8. The "Find Packet" dialog box

The "Find Packet" dialog box

You might first select the kind of thing to search for:

  • Display filter

    Simply enter a display filter string into the Filter: field, select a direction, and click on OK.

    For example, to find the three way handshake for a connection from host, use the following filter string:

    ip.src== and tcp.flags.syn==1

    For more details on display filters, see Section 6.3, “Filtering packets while viewing”

  • Hex Value

    Search for a specific byte sequence in the packet data.

    For example, use "00:00" to find the next packet including two null bytes in the packet data.

  • String

    Find a string in the packet data, with various options.

The value to be found will be syntax checked while you type it in. If the syntax check of your value succeeds, the background of the entry field will turn green, if it fails, it will turn red.

You can choose the search direction:

  • Up

    Search upwards in the packet list (decreasing packet numbers).

  • Down

    Search downwards in the packet list (increasing packet numbers).

6.8.2. The "Find Next" command

"Find Next" will continue searching with the same options used in the last "Find Packet".

6.8.3. The "Find Previous" command

"Find Previous" will do the same thing as "Find Next", but with reverse search direction.

  Published under the terms fo the GNU General Public License Design by Interspire