Search for a string in packet bytes of a pcap file using tshark

Question

I am able to search for a string in the in packet bytes of a pcap capture using Wireshark. Is there similar functionality available in tshark ?

I already have the pcap files. But I need to go through them quickly to find the matching strings in the packet bytes.

score 2 · Answer 1 · edited Jun 07 '24 at 10:33

2

The answer above from Christopher Maynard is almost right. On a Linux system you will need to enclose the ASCII text you're searching for in quotes.

tshark -r foo.pcap -Y 'frame contains "foo"'

edited Jun 07 '24 at 10:33

ChanganAuto

1
4
18
19

answered Jun 07 '24 at 02:16

Beginner_Scripter

21

score 1 · Answer 2 · answered Feb 22 '22 at 21:42

You ought to be able to find packets containing strings of interest using either the contains or matches operators, depending on your needs. For example:

tshark -r foo.pcap -Y "frame contains foo"

For more information on Wireshark display filters, refer to the wireshark-filter man page.

Search for a string in packet bytes of a pcap file using tshark

2 Answers2