Networking/Computing Tips/Tricks

Rate this content:
5 of 5 - 4 votes
Thank you for rating this article.



A common question regarding Wireshark packet analysis is "Can I find a text string in a packet capture?"

Check out these great references as well: 

 Our custom profiles repository for Wireshark
 Our Udemy course on Wireshark 
 Our Udemy course on Wireless Packet capture

The answer is that it depends on where the text string is (like header vs. packet content) and if the packets contain encrypted data. 

Usecase #1:

If you are looking for something like "password" in the contents of packets, and the user was on an HTTPS connection, then you will not find this string.  However, if they are using HTTP or some other clear text protocol, then you will be able to find a string in the packet contents.

Usecase #2:

If you are looking for a string in the packet headers, it will depend on whether the header was inside or outside a VPN tunnel.  Most packet headers outside such a tunnel are always searchable and not encrypted.  Anything in the tunnel will be and therefore not searchable.

Alright, let's talk about what tools come in Wireshark to find a string. 

If you would like to see this - check out our video:

Option 1

First there is the generic find/search capability in Wireshark that is found here:

2019 09 26 10 02 08

When you click on this looking glass button, or select Edit> Find Packet from the drop down menus, you will be presented with the following toolbar immediately below the display filter toolbar:

2019 09 26 10 05 05

You will note the "Display filter" drop down just to the left of the string entry box.

The options are as follows:

2019 09 26 10 08 59

To find a string, select string, and note that the two other drop down boxes are no longer greyed out. 

Now select packet bytes if you want to look inside the packets, and then type the string you are looking for in the entry box and click on find:

2019 09 26 10 13 12

Above, you can see I selected string, packet bytes, entered "BHI" as my string and then clicked find.  Packet 246 has this string and Wireshark highlights this.  This was the first instance, and if I clicked find again, Wireshark will look further into the capture.  Eventually I will reach the end of the capture and have to reset the view to the first packet to initiate the search once again.

This search is case insensitive.  Whether I had entered "bhi" or "bHi" or "bhI", the search will find the same packet.

Option 2

What if I just wanted to see the packets with "BHI" in them?

For this we need to use the Display Filter functionality of Wireshark.  A reference with details regarding my examples below can be found here.

Specifically there is a display filter terms called 'frame contains' and 'frame matches'.  Contains is fairly stright forward.  Here is an example:

frame contains "BHI"

2019 09 26 10 28 06

A couple of things here: you do not need to use quotes, and you cannot say something like an IP Address.

The 'frame matches' is a little different.  This is a fairly flexible display filter and we will not cover all the options here.  The keyword 'matches' is a "Regex next" to Wireshark - a Perl-compatible regular expression.  You can find a great cheat sheet for Regex here.  So without running down the details of this, we will provide and explain some examples commonly used.  Hopefully from this you will understand it.

These 'frame contains' or 'frame matches' display filters are case sensitive.  If I used:

frame contains "bhi" 

I get no results:

2020 11 20 6 46 16

So a common command I use when performing these types of searches is the (?i) which makes the search case insensitive.

So I could have used the following command:

frame matches "(?i)bhi"

I now find the packet again:

2019 09 26 10 53 51

Let's say I wanted to find "BHI" or "BHS", I would use:

frame matches "(?i)bh[is]"

Let's say I wanted to find "BHI" and all others through "BHS", I would use:

frame matches "(?i)bh[i-s]"

Let's say I wanted to match "BHI" or "BHS", I would use:

frame matches "(?i)(bhi|bhs)"

As you can imagine, another common one here would be:

frame matches "(?i)(username|password)"

You can also use the '^', which means start of field, and '$', which means end of field, commands. 

Also the '\.' means look for a dot.

So if you wanted to find any listed web sites in a capture, perhaps you would use:

frame matches "\.com$"

Or perhaps you would want to find possible files:

frame matches "\.(?i)(exe|zip|doc|xls|ppt|jar)"

Lets say you wanted to look for email addresses, you would use this:

frame matches "(?i)[A-Z0-9._%~]+@[A-Z0-9.-]+\.[A-Z\>]{2,4}"

So those are just some ideas.

I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome! 


Add comment


Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP Assessment AToM Backup Bandwidth BGP Bibliography Biography Briefings CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation ECMP EIGRP Ethernet Flipping the Certification Model Follow Me Fragmentation Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPv4 IPv6 L2 Switch L2VPN L3VPN LDP Learning Services Linux LLN Logging LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX Parrot Passwords pcap pcap-ng PIM Ping Policy Port Mirror POTS POTS to Pipes PPP Profile Profiles Programming Project Management Python QoS QUIC Requirements RFC RIP Routing RPL RSVP SAS SDN Security Self Certification Service Provider Small Business Smartport SONET Span Port SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telnet Terminal TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Troubleshooting Tunnel Utility Video Virtualbox Virtualization Voice VoIP VXLAN Webex Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Wi-Fi 6/6E Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed