Search for a string in packet bytes of a pcap file using tshark

Question

I am able to search for a string in the in packet bytes of a pcap capture using Wireshark. Is there similar functionality available in tshark ?

I already have the pcap files. But I need to go through them quickly to find the matching strings in the packet bytes.

Neither Wireshark nor tshark are security tools. I'm not sure why you are asking here, — schroeder, Feb 18 '22 at 08:55
@schroeder both wireshark and tshark can be used for security control testing. — Saqib Ali, Feb 18 '22 at 13:13
Sure, and so can a lot of things, but they are not *security* tools. — schroeder, Feb 18 '22 at 13:29

score 1 · Answer 1 · answered Feb 22 '22 at 21:42

You ought to be able to find packets containing strings of interest using either the contains or matches operators, depending on your needs. For example:

tshark -r foo.pcap -Y "frame contains foo"

For more information on Wireshark display filters, refer to the wireshark-filter man page.

Search for a string in packet bytes of a pcap file using tshark

1 Answers1