These 'frame contains' or 'frame matches' display filters are case sensitive. Hopefully from this you will understand it. So without running down the details of this, we will provide and explain some examples commonly used. You can find a great cheat sheet for Regex here. The keyword 'matches' is a "Regex next" to Wireshark - a Perl-compatible regular expression. This is a fairly flexible display filter and we will not cover all the options here. The 'frame matches' is a little different.
Here is an example: frame contains "BHI"Ī couple of things here: you do not need to use quotes, and you cannot say something like an IP Address. Specifically there is a display filter terms called 'frame contains' and 'frame matches'. A reference with details regarding my examples below can be found here. What if I just wanted to see the packets with "BHI" in them?įor this we need to use the Display Filter functionality of Wireshark. Whether I had entered "bhi" or "bHi" or "bhI", the search will find the same packet. Eventually I will reach the end of the capture and have to reset the view to the first packet to initiate the search once again. This was the first instance, and if I clicked find again, Wireshark will look further into the capture. Packet 246 has this string and Wireshark highlights this. Now select packet bytes if you want to look inside the packets, and then type the string you are looking for in the entry box and click on find:Ībove, you can see I selected string, packet bytes, entered "BHI" as my string and then clicked find. To find a string, select string, and note that the two other drop down boxes are no longer greyed out. You will note the "Display filter" drop down just to the left of the string entry box. When you click on this looking glass button, or select Edit> Find Packet from the drop down menus, you will be presented with the following toolbar immediately below the display filter toolbar: If you would like to see this - check out our video:įirst there is the generic find/search capability in Wireshark that is found here: Anything in the tunnel will be and therefore not searchable.Īlright, let's talk about what tools come in Wireshark to find a string. Most packet headers outside such a tunnel are always searchable and not encrypted.
If you are looking for a string in the packet headers, it will depend on whether the header was inside or outside a VPN tunnel. However, if they are using HTTP or some other clear text protocol, then you will be able to find a string in the packet contents. If you are looking for something like "password" in the contents of packets, and the user was on an HTTPS connection, then you will not find this string. packet content) and if the packets contain encrypted data. The answer is that it depends on where the text string is (like header vs. Our Udemy course on Wireless Packet capture Our custom profiles repository for Wireshark
Have questions or feedback about Office VBA or this documentation? Please see Office VBA support and feedback for guidance about the ways you can receive support and provide feedback.5 of 5 - 3 votes Thank you for rating this article.Ī common question regarding Wireshark packet analysis is "Can I find a text string in a packet capture?"Ĭheck out these great references as well: If Selection.Type = wdSelectionNormal Then _ This example makes all hidden text in the active window visible and then formats the selection as hidden text. MsgBox "No hidden text in the selection." MsgBox "There is hidden text in the selection." If Selection.Type = wdSelectionNormal Then This example checks the selection for hidden text. To control whether properties and methods that return Range objects include or exclude hidden text when hidden text isn't displayed, use the IncludeHiddenText property of the TextRetrievalMode object. To control the display of hidden text, use the ShowHiddenText property of the View object. This property returns True, False or wdUndefined (a mixture of True and False). A variable that represents a Font object. True if the font is formatted as hidden text.