Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.9
121122123124125126127128129130
Working with captured packets
112
Close Close this dialog. This will discard unsaved settings.
6.7. Defining and saving filter macros
You can define filter macros with Wireshark and give them labels for later use. This can save time in
remembering and retyping some of the more complex filters you use.
XXX - add an explanation of this.
6.8. Finding packets
You can easily find packets once you have captured some packets or have read in a previously saved
capture file. Simply select the Find Packet... menu item from the Edit menu. Wireshark will pop up the
dialog box shown in Figure 6.9, “The "Find Packet" dialog box”.
6.8.1. The "Find Packet" dialog box
Figure 6.9. The "Find Packet" dialog box
You might first select the kind of thing to search for:
Display filter
Simply enter a display filter string into the Filter: field, select a direction, and click on OK.
For example, to find the three way handshake for a connection from host 192.168.0.1, use the following
filter string:
ip.src==192.168.0.1 and tcp.flags.syn==1
For more details on display filters, see Section 6.3, “Filtering packets while viewing”
Hex Value
Search for a specific byte sequence in the packet data.
For example, use "00:00" to find the next packet including two null bytes in the packet data.
String
Find a string in the packet data, with various options.
The value to be found will be syntax checked while you type it in. If the syntax check of your value
succeeds, the background of the entry field will turn green, if it fails, it will turn red.