Ask Your Question

How can I search within data, specifically in the TCP segment data?

asked 2019-10-18 21:56:40 +0000

jmeg8237 gravatar image

I've completed the original task I started out trying to accomplish (dissecting four customer captures, looking for one particular packet in each one), but I'm trying to learn from the experience and understand if there's a more effective way of filtering packets. I was looking for a specific string that appears in the TCP segment data. When I Googled, I found a search field for data-text-lines but this does NOT return the packet I'm trying to find, and I can't tell where in the packet that field actually searches for. But it was not what I needed.

So I'm trying to figure out if there's a way of searching in that specific field. If I start by typing "tcp" into the filter field, it shows a few options (tcp.port, tcpcl, tcpencap, and tcpros), but none of them look like they would apply, nor does <filtername> contains "data_string"> return the one packet with the correct string I need.

Anybody have any suggestions on how to accomplish this?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-10-18 23:31:41 +0000

Chuckc gravatar image
"For TCP, there is the field tcp.payload which is the TCP segment (payload) of the packet, regardless of the upper layer protocol." - SYN-bit
Also possible to search the entire frame - frame contains "http"

And in the Wireshark GUI, select Edit->Find Packet ....
Change Display Filter to String or Regular Expression, then change Packet List to Packet Bytes.

edit flag offensive delete link more


Thanks, I'll give that a try.

jmeg8237 gravatar imagejmeg8237 ( 2019-10-19 04:52:48 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-10-18 21:56:40 +0000

Seen: 31,231 times

Last updated: Oct 18 '19