This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Search data spanned over multiple TCP packets

0

This pcap has a TCP session of slowloris attack. When I tried to search for the string "www.t.co", it failed to find the packets that contain it. This string actually span two TCP data packets. Wonder if Wireshark supports searching across packets. Thanks.

My wireshark version is 1.10.6.

asked 07 Sep '15, 12:38

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

2 Answers:

0

Wonder if Wireshark supports searching across packets.

No, it doesn't.

However, you can follow a TCP stream and then search within the text of the pop-up window.

right click any frame -> Follow TCP Stream

Then use Find function.

Regards
Kurt

answered 07 Sep '15, 16:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

The issue is we don't know which session in a pcap contains that string (that may span over multiple data packet). I was afraid it's outside the scope of Wireshark. Thanks for confirming it.

(08 Sep '15, 07:24) pktUser1001

1

Well in this case Wireshark can do it.

At the packet detail pane right click the TCP layer and activate

 Protcol Preferences -> Allow subdissectors to reassemble TCP Streams

Then at the packet detail pane right click the HTTP layer and activate

Protcol Preferences -> Reassemble HTTP headers spanning multiple segments

And then you can see the host and the url www.t.co

answered 07 Sep '15, 21:41

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

edited 08 Sep '15, 14:43

Thanks @Christian_R for the answer. It helps in the case of searching for HTTP host header. In the general case of search for a string in TCP stream, it can't be done as Kurt confirmed.

(08 Sep '15, 07:26) pktUser1001

You also can reassemble the http bodies .

(08 Sep '15, 07:43) Christian_R