Networking/Computing Tips/Tricks

A common question regarding Wireshark packet analysis is "Can I find a text string in a packet capture?"

Check out these great references as well: 

 Our custom profiles repository for Wireshark
 Our Udemy course on Wireshark 
 Our Udemy course on Wireless Packet capture

The answer is that it depends on where the text string is (like header vs. packet content) and if the packets contain encrypted data. 

Usecase #1: If you are looking for something like "password" in the contents of packets, and the user was on an HTTPS connection, then you will not find this string.  However, if they are using HTTP or some other clear text protocol, then you will be able to find a string in the packet contents.

Usecase #2: If you are looking for a string in the packet headers, it will depend on whether the header was inside or outside a VPN tunnel.  Most packet headers outside such a tunnel are always searchable and not encrypted.  Anything in the tunnel will be and therefore not searchable.

Alright, let's talk about what tools come in Wireshark to find a string. 

Option 1

First there is the generic find/search capability found here:

2019 09 26 10 02 08

When you click on this button, or select Edit> Find Packet from the drop down menus, you will be presented with the following toolbar immediately below the display filter toolbar:

2019 09 26 10 05 05

You will note the "Display filter" drop down just to the left of the string entry box.

The options are as follows:

2019 09 26 10 08 59

To find a string, select string, and note that the two other drop down boxes are no longer greyed out.  Now select packet bytes if you want to look inside the packets, and then type the string you are looking for in the entry box and click on find:

2019 09 26 10 13 12

Above, you can see I selected string, packet bytes, entered "BHI" as my string and then clicked find.  Packet 246 has this string and Wireshark highlights this.  This was the first instance, and if I clicked find again, Wireshark will look further into the capture.  Eventually I will reach the end of the capture and have to reset the view to the first packet to initiate the search once again.

Option 2

What if I just wanted to see the packets with "BHI" in them?

For this we need to use the Display Filter functionality of Wireshark.  A reference with details regarding my examples below can be found here.

Specifically there is a display filter terms called 'frame contains' and 'frame matches'.  Contains is fairly stright forward.  Here is an example:

frame contains "BHI"

2019 09 26 10 28 06

A couple of things here: you do not need to use quotes, and you cannot say something like an IP Address.

The 'frame matches' is a little different.  This is a fairly flexible display filter and we will not cover all the options here.  The keyword 'matches' is a "Regex next" to Wireshark - a Perl-compatible regular expression.  You can find a great cheat sheet for Regex here.  So without running down the details of this, we will provide and explain some examples commonly used.  Hopefully from this you will understand it.

All these display filters are case sensitive.  So a common command I use when performing these types of searches is the (?i) which makes the search non-case sensitive.

So I could have used the following command:

frame matches "(?i)bhi"

I get the same result:

2019 09 26 10 53 51

Let's say I wanted to find "BHI" or "BHS", I would use:

frame matches "(?i)bh[is]"

Let's say I wanted to find "BHI" and all others through "BHS", I would use:

frame matches "(?i)bh[i-s]"

Let's say I wanted to match "BHI" or "BHS", I would use:

frame matches "(?i)(bhi|bhs)"

As you can imagine, another common one here would be:

frame matches "(?i)(username|password)"

You can also use the '^', which means start of field, and '$', which means end of field, commands. 

Also the '\.' means look for a dot.

So if you wanted to find any listed web sites in a capture, perhaps you would use:

frame matches "\.com$"

Or perhaps you would want to find possible files:

frame matches "\.(?i)(exe|zip|doc|xls|ppt|jar)"

Lets say you wanted to look for email addresses, you would use this:

frame matches "(?i)[A-Z0-9._%~]+@[A-Z0-9.-]+\.[A-Z\>]{2,4}"

So those are just some ideas.

If anyone has others, please comment below and share!  Thanks.


Comments powered by CComment

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP AToM Backup Bandwidth BGP Biography Bloom's Taxonomy Cable CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Coloring Rules Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 DNS Documentation dumpcap ECMP EIGRP Ethernet Ethics Fiber Optics Flipping the Certification Model Fragmentation G-MPLS Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 Internet IOS Classic IoT iPerf IPsec IP Spoofing IPv4 IPv6 IS-IS L2 Switch L2VPN L3VPN LDP Linux LLN Logging LoL M-BGP MAC Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netcat Netflow NetMon netsh Networking Network Science nmap Npcap Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Parrot PIM Ping Policy POTS POTS to Pipes PPP Profile Programming Project Management PW3E Python QoS QUIC Remote Desktop Requirements RIP Routing RPL RSVP Rural SAS SDN Security Security Associations Self Certification Service Provider Small Business Smartport SONET Speed SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Telnet TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Webex Wi-Fi Wi-Fi 6 Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed