Finding and Marking Packets

While display filters are excellent for focusing on specific types of traffic, Wireshark also provides tools for directly finding individual packets based on specific criteria and marking them for later review.

Finding Packets

The Find Packet dialog (accessed via Edit > Find Packet… or Ctrl+F / Cmd+F) allows you to search for packets based on various criteria:

• Display Filter: You can enter a temporary display filter in the “Find” field and click “Find” to locate the first packet that matches that filter. You can then use the “Next” and “Previous” buttons to find subsequent matching packets. This is often the most powerful and flexible way to find specific packets.
• Packet details: Allows you to search within the detailed information of the packets (in the Packet Details Pane) for specific text or hexadecimal values.
  • Search in: You can specify which part of the packet details to search within (e.g., Packet summary line, Packet details, Packet bytes).
  • Filter: You can optionally apply a display filter to limit the search to a specific subset of packets.
  • String: Enter the text you want to find. You can choose to match case.
  • Hex value: Enter the hexadecimal byte sequence you want to find. You can enter bytes with or without spaces (e.g., 0a1b2c or 0a 1b 2c).
• Packet list: Allows you to search within the columns of the Packet List Pane for specific text.
  • Column: Select the column you want to search within (e.g., Source, Destination, Protocol, Info).
  • String: Enter the text you want to find. You can choose to match case.

Using the Find Packet Dialog:

1. Go to Edit > Find Packet… (or press Ctrl+F / Cmd+F).
2. Select the desired search criteria (Display Filter, Packet details, or Packet list).
3. Enter the search term or filter.
4. Configure any additional options (e.g., case sensitivity, search in specific details).
5. Click Find. Wireshark will highlight the first packet that matches your criteria.
6. Use the Next and Previous buttons in the Find Packet dialog (or Shift+F3 for Next, F3 for Previous) to navigate through subsequent matching packets.
7. Click Close to close the Find Packet dialog.

Marking Packets:

Marking packets is a way to visually highlight specific packets in the Packet List Pane for later review or export. Marked packets are typically indicated by a flag icon next to the packet number.

How to Mark and Unmark Packets:

1. Select the packet(s) you want to mark in the Packet List Pane. You can select multiple packets using Ctrl+Click (Windows/Linux) or Cmd+Click (macOS) for non-contiguous selection, or Shift+Click for a range of packets.
2. Go to Edit > Mark/Unmark Packet (or press Ctrl+M / Cmd+M). The selected packet(s) will now be marked with a flag.
3. To unmark a packet, select it and repeat step 2. The flag will be removed.

Using Marked Packets:

• Visual Identification: Marked packets stand out in the Packet List Pane, making it easy to locate them later.
• Saving Marked Packets: When saving a capture file (File > Save As…), you have the option to save only the marked packets.
• Exporting Marked Packets: You can also choose to export only the dissections or raw data of marked packets (File > Export Specified Packets… and select “Marked packets”).
• Display Filter (Indirectly): While there isn’t a direct display filter for “marked packets” by default, you could potentially create a coloring rule based on the “Marked” status if needed for visual filtering.

Combining the Find Packet functionality with the ability to mark packets provides a powerful way to navigate and highlight specific data points within your network captures for more focused analysis.