Using sharkd to search through packets

asked 2023-06-20 06:02:14 +0000

otr gravatar image

updated 2023-06-20 10:12:11 +0000

Sharkd implements many features of Wireshark, but I didn't find a way to search through packets like CTRL+F does in the UI. Is this possible?

edit retag flag offensive close merge delete

Comments

CTRL+S saves the file. Did you mean CTRL+F or CTRL+G?

Chuckc gravatar imageChuckc ( 2023-06-20 08:42:37 +0000 )edit

Yes, you are right, I meant CTRL+F

otr gravatar imageotr ( 2023-06-20 10:11:24 +0000 )edit

Can you work with the list output from a frames request?

Chuckc gravatar imageChuckc ( 2023-06-20 14:39:35 +0000 )edit

I think that approach might work for display filters, but when it comes to string search or hex search, it seems like there would be an excessive amount of data that I would need to send to the client in order to sift through the packets.

otr gravatar imageotr ( 2023-06-20 15:01:06 +0000 )edit

https://www.wireshark.org/docs/wsug_h...
See "6.4.2.2. Some Examples" for searches on hex bytes and strings.
A display filter on frame contains "foo" does a string search.

{"jsonrpc":"2.0", "id":1, "method":"frames", "filter":"frame contains \"hel\""}
Chuckc gravatar imageChuckc ( 2023-06-20 15:08:47 +0000 )edit

Right, thanks for taking the time to point this out. I try to do it with workarounds. I guess _ws.col.Info will also work similar then to search in the info column. The point of searching was to not have to take the performance hit to sift through all packets, but I guess that functionality is missing in sharkd for now.

otr gravatar imageotr ( 2023-06-21 06:51:02 +0000 )edit
see more comments