You can easily find packets once you have captured some packets or
have read in a previously saved capture file. Simply select the
Find Packet...
menu item from the
Edit
menu. Wireshark will pop up the dialog box
shown in Figure 6.8, “The "Find Packet" dialog box”.
6.8.1. The "Find Packet" dialog box
You might first select the kind of thing to search for:
-
Display filter
Simply enter a display filter string into the
Filter:
field, select a direction, and click on OK.
For example, to find the three way handshake for a connection from
host 192.168.0.1, use the following filter string:
ip.src==192.168.0.1 and tcp.flags.syn==1
For more details on display filters, see Section 6.3, “Filtering packets while viewing”
-
Hex Value
Search for a specific byte sequence in the packet data.
For example, use "00:00" to find the next packet including two
null bytes in the packet data.
-
String
Find a string in the packet data, with various options.
The value to be found will be syntax checked while you type it in. If the
syntax check of your value succeeds, the background of the entry field
will turn green, if it fails, it will turn red.
You can choose the search direction:
6.8.2. The "Find Next" command
"Find Next" will continue searching with the same options used in the last
"Find Packet".
6.8.3. The "Find Previous" command
"Find Previous" will do the same thing as "Find Next", but with reverse
search direction.
