6.8. Finding Packets

You can easily find packets once you have captured some packets or have read in a previously saved capture file. Simply select EditFind Packet…​ in the main menu. Wireshark will open a toolbar between the main toolbar and the packet list shown in Figure 6.12, “The “Find Packet” toolbar”.

6.8.1. The “Find Packet” Toolbar

Figure 6.12. The “Find Packet” toolbar

ws find packet

You can search using the following criteria:

Display filter

Enter a display filter string into the text entry field and click the Find button. + For example, to find the three-way handshake for a connection from host 192.168.0.1, use the following filter string:

ip.src==192.168.0.1 and tcp.flags.syn==1

The value to be found will be syntax checked while you type it in. If the syntax check of your value succeeds, the background of the entry field will turn green, if it fails, it will turn red. For more details see Section 6.3, “Filtering Packets While Viewing”

Hexadecimal Value

Search for a specific byte sequence in the packet data.

For example, use “ef:bb:bf” to find the next packet that contains the UTF-8 byte order mark.

String
Find a string in the packet data, with various options.
Regular Expression
Search the packet data using Perl-compatible regular expressions. PCRE patterns are beyond the scope of this document, but typing “pcre test” into your favorite search engine should return a number of sites that will help you test and explore your expressions.