Doesn't wireshark already have this?
CTRL-F and then type in the filter string
then click "Find" and it will cycle through the packets that are matching.
On Sun, Mar 21, 2021 at 7:18 AM Richard Sharpe
<realrichardsharpe@xxxxxxxxx> wrote:
>
> Hi folks,
>
> I use Wireshark a great deal in my job because I am always looking at
> captures when trying to figure out bugs in our code.
>
> I often have captures with a lot of different types of packets and
> need to find a particular set of packets of mixed type, eg SMB2
> followed by the NFS packets caused by the SMB2 request or SMB2
> followed by the Kerberos packets caused etc.
>
> What I would like to be abe to do is to set up a filter string for a
> specific type of SMB2 request, say, based on source and dest IP and
> maybe type (ie, a CREATE, or whatever) and then go to the first such
> packet in the capture and then examine the subsequent packets to see
> if they satisfy my criteria. If they don't then I would like to go the
> next packet that satisfies my filter string and examine them, and so
> on until I find what I am looking for.
>
> I will usually also have filtered already on two types of frames (or a
> few types) like SMB2 || NFS.
>
> Currently, the only way I can think to do this is to filter on SMB2,
> select the first one I am interested in, unfilter (or refilter),
> examine the packets, and if they are not what I am interested in,
> refilter on SMB2 and select the next packet, and so on. The workflow
> is quite painful.
>
> Is there a simpler way to do this?
>
> If not, could we add a button for Next packet satisfying filter?
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
