Ask Your Question
0

displaying only lines with needed string in search (and lines count)

asked 2017-11-10 12:17:20 +0000

Nik108 gravatar image

Guys How do I search for a string and only displaying ALL lines containing the string (and get total number of lines to compare to another file) thanks in advance

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-11-10 13:40:03 +0000

sindy gravatar image

updated 2017-11-11 20:51:48 +0000

Edit according to the comment below:

sorry, I was confused by keywords "string" and "line" which normally refer to text processing.

In Wireshark itself you cannot filter packets by contents of the Info column. You have to use the display filter field - it may seem complex first but it is actually not, and filtering this way is much more powerful than text search on the summary information.

To avoid misleading you: you can use the display filter to search for strings in raw packet data or in dissected protocol fields, but not in the Info column as doing so would rarely be useful.

So for your example, you would use display filter expressions like tcp.analysis.retransmission (hint: start typing tcp. and Wireshark will suggest you possible completions).

Once you compose your filter and the display filter field colour is green, press the --> button to the right from the display filter field. The list of packets will shrink to those matching that filter expression.

In the status line at the right bottom of the Wireshark window you'll see a summary: Packets: X, Displayed: Y. "Displayed" means "matching the display filter expression".

edit flag offensive delete link more

Comments

thanks sindy. I mean search in wireshark I need to compare 2 pcap files from 2 points in the network to see if TCP errors (dup ACK, retransmits etc) are exactly same in both files or not. So i need to:

1) filter and find the particular strings

2) know how many of those are total

let me know if you had an idea... trying to read and trying things but getting a bit delayed... thanks

Nik108 gravatar imageNik108 ( 2017-11-11 03:31:40 +0000 )edit

Hey Sindy - thanks a lot for the explanation. it was really helpful at the moment of need! cheers

Nik108 gravatar imageNik108 ( 2017-11-14 15:33:14 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-11-10 12:17:20 +0000

Seen: 1,921 times

Last updated: Nov 11 '17