This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

search in uncompressed packet bytes

0

I've captured some http packets and want to find out which ones contain some string. I use "Edit->Find Packet" with "Packet bytes" option selected, but it doesn't find anything because the data is compressed (Content-Encoding: gzip). When I search in "Packet details", it doesn't find everything because some lines are too long and get truncated.

Is there any way to search in uncompressed packet bytes?

asked 08 Oct '11, 11:56

humanista's gravatar image

humanista
6113
accept rate: 0%


One Answer:

2

My first suggestion would have been to use "http contains <xxx>", but "http" only points to the compressed data. Digging a little deeper gives me a second suggestion that does seem to work. The uncompressed data is put in a new TVB and in the packet-details pane the dissection is listed under "data-text-lines". So you can use the (search or display) filter:

http and data-text-lines contain "<XXX>"

Hope this works for you!

answered 09 Oct '11, 00:43

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

'http and data-text-lines contains "string"' works perfectly. Thank you very much!

(09 Oct '11, 10:41) humanista

(converted your "answer" to a "comment" please see the FAQ for details)

(09 Oct '11, 13:32) SYN-bit ♦♦