This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Contain display filter?

0

Hello,

Is there a display filter where I can search for specific ip's or words in the info field?

Thanks

asked 10 Mar '15, 11:59

gonzo's gravatar image

gonzo
6445
accept rate: 0%

3 Answers:

1

As far as I know there is no way to use a display filter on the contents of the Info column. However, you can use the "Find" function (ctrl-F) to search for info in the packet-list (which includes the Info column). Set your search type to string and choose "packet list" as "Search in..." option.

answered 11 Mar '15, 01:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

1

Another possibility might be to run tshark from the command-line and then pipe its output to grep. For example:

tshark -r file.pcap -Y "filter of interest" -T fields -e frame.number -e _ws.col.Info | grep "search string of interest"

That will give you a list of frame numbers containing your item of interest. You can then use those frame numbers as a reference when looking at packets in Wireshark (or for whatever other purpose you might have).

answered 11 Mar '15, 07:08

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

0

I think this should get you going.

answered 11 Mar '15, 01:49

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%