Networking/Computing Tips/Tricks

A common question regarding Wireshark packet analysis is "Can I find a text string in a packet capture?"

The answer is that it depends on where the text string is (like header vs. packet content) and if the packets contain encrypted data. 

Usecase #1: If you are looking for something like "password" in the contents of packets, and the user was on an HTTPS connection, then you will not find this string.  However, if they are using HTTP or some other clear text protocol, then you will be able to find a string in the packet contents.

Usecase #2: If you are looking for a string in the packet headers, it will depend on whether the header was inside or outside a VPN tunnel.  Most packet headers outside such a tunnel are always searchable and not encrypted.  Anything in the tunnel will be and therefore not searchable.

Alright, let's talk about what tools come in Wireshark to find a string. 

Option 1

First there is the generic find/search capability found here:

2019 09 26 10 02 08

When you click on this button, or select Edit> Find Packet from the drop down menus, you will be presented with the following toolbar immediately below the display filter toolbar:

2019 09 26 10 05 05

You will note the "Display filter" drop down just to the left of the string entry box.

The options are as follows:

2019 09 26 10 08 59

To find a string, select string, and note that the two other drop down boxes are no longer greyed out.  Now select packet bytes if you want to look inside the packets, and then type the string you are looking for in the entry box and click on find:

2019 09 26 10 13 12

Above, you can see I selected string, packet bytes, entered "BHI" as my string and then clicked find.  Packet 246 has this string and Wireshark highlights this.  This was the first instance, and if I clicked find again, Wireshark will look further into the capture.  Eventually I will reach the end of the capture and have to reset the view to the first packet to initiate the search once again.

Option 2

What if I just wanted to see the packets with "BHI" in them?

For this we need to use the Display Filter functionality of Wireshark.  A reference with details regarding my examples below can be found here.

Specifically there is a display filter terms called 'frame contains' and 'frame matches'.  Contains is fairly stright forward.  Here is an example:

frame contains "BHI"

2019 09 26 10 28 06

A couple of things here: you do not need to use quotes, and you cannot say something like an IP Address.

The 'frame matches' is a little different.  This is a fairly flexible display filter and we will not cover all the options here.  The keyword 'matches' is a "Regex next" to Wireshark - a Perl-compatible regular expression.  You can find a great cheat sheet for Regex here.  So without running down the details of this, we will provide and explain some examples commonly used.  Hopefully from this you will understand it.

All these display filters are case sensitive.  So a common command I use when performing these types of searches is the (?i) which makes the search non-case sensitive.

So I could have used the following command:

frame matches "(?i)bhi"

I get the same result:

2019 09 26 10 53 51

Let's say I wanted to find "BHI" or "BHS", I would use:

frame matches "(?i)bh[is]"

Let's say I wanted to find "BHI" and all others through "BHS", I would use:

frame matches "(?i)bh[i-s]"

Let's say I wanted to match "BHI" or "BHS", I would use:

frame matches "(?i)(bhi|bhs)"

As you can imagine, another common one here would be:

frame matches "(?i)(username|password)"

You can also use the '^', which means start of field, and '$', which means end of field, commands. 

Also the '\.' means look for a dot.

So if you wanted to find any listed web sites in a capture, perhaps you would use:

frame matches "\.com$"

Or perhaps you would want to find possible files:

frame matches "\.(?i)(exe|zip|doc|xls|ppt|jar)"

Lets say you wanted to look for email addresses, you would use this:

frame matches "(?i)[A-Z0-9._%~]+@[A-Z0-9.-]+\.[A-Z\>]{2,4}"

So those are just some ideas.

If anyone has others, please comment below and share!  Thanks.


Comments powered by CComment

The nicest thing you can do is use these inks to support us!  Thank you!

Support our research!  Buy me a coffee :)

Support our research. Become a Patron!

Find by Tag

4G Networks 5G Networks 6in4 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Addressing Analysis Ansible Architecture ARP AToM BGP Bloom's Taxonomy Broadband Cable cat CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud Coloring Rules Computer Consulting CPI Customer Support Data Center Data Networking DHCPv6 DNS Docker Documentation Dublin-Traceroute dumpcap ECMP Ethernet Ethics Fragmentation G-MPLS Git GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 Interface Control Internet IoT IPsec IPv4 IPv6 IS-IS L2VPN L3VPN LDP Linux LLN LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring MPLS MTU Multicast My Room Name Resolution Netcat Netmiko NetMon netsh Networking Network Science nmap Npcap Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Paris-Traceroute Parrot PIM pktmon PMTU Policy POTS POTS to Pipes PPP Profile Programming Project Management Protocol 41 PW3E Python QoS QUIC Remote Desktop Requirements RIP Routing RPL RSVP Rural SAS SDN Security Service Provider Small Business SONET Speed SS7 SSH SSL Subnetting SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone termshark TLS Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Webex WEP Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Wi-Fi 6/6E Windows Winpcap Wireless Wireless 5G Wireshark Wireshark Tip WLAN WPA2 Zenmap ZigBee Zoom

Support us by clicking:

Twitter Feed