In Wireshark, after capturing some traffic of a network we can save the capture file on our local device so that it can be analyzed thoroughly in the future. We can save captured packets by using the File → Save or File → Save As… menu items. While analyzing sometimes we need to search for a specific packet. We can find that specific packet using the “Find Packet” toolbar.
Steps to Open the “Find Packet” Toolbar:
To find specific packets in Wireshark follow the below steps :
- Start the Wireshark by selecting the network we want to analyze or opening any previously saved captured file.
- Now go into the Wireshark and click on Edit→ Find Packet menu or toolbar item.
This will open the “Find Packet” toolbar between the main toolbar and the packet list.
We can also use the keyboard shortcut “Ctrl+F” to open the “Find Packet” toolbar. Now we can find and search packets using the following criteria :
Display Filter:
In the “Filter” field we can type the filter primitive and click on find to search and display the packets matching the filter. For example, the filter primitive
tcp.port == 443 && ip.src == 192.168.29.52
will search for packets with the source IP address 192.168.29.52 having the source port number 443. We will notice that any time that when we get the syntax right then we will see that the background turns green. Now if we type something wrong then the background turns to be red. That tells us that Wireshark does not recognize that as an appropriate display filter syntax.
Hexadecimal Value :
We can search for a packet having a specific sequence of bytes. We can enter hexadecimal values for example “a8 da 0c” into the field to get the specific packet.
String:
We can also perform a string search to find a particular string in the packet data.
Regular Expression :
We can also perform a search packet using Perl-compatible regular expressions.