Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Is there a way to easily go to the next packet that satisfie

From: chuck c <bubbasnmp@xxxxxxxxx>
Date: Sat, 20 Mar 2021 16:44:56 -0500

On Sat, Mar 20, 2021 at 4:17 PM Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
Hi folks,

I use Wireshark a great deal in my job because I am always looking at
captures when trying to figure out bugs in our code.

I often have captures with a lot of different types of packets and
need to find a particular set of packets of mixed type, eg SMB2
followed by the NFS packets caused by the SMB2 request or SMB2
followed by the Kerberos packets caused etc.

What I would like to be abe to do is to set up a filter string for a
specific type of SMB2 request, say, based on source and dest IP and
maybe type (ie, a CREATE, or whatever) and then go to the first such
packet in the capture and then examine the subsequent packets to see
if they satisfy my criteria. If they don't then I would like to go the
next packet that satisfies my filter string and examine them, and so
on until I find what I am looking for.

I will usually also have filtered already on two types of frames (or a
few types) like SMB2 || NFS.

Currently, the only way I can think to do this is to filter on SMB2,
select the first one I am interested in, unfilter (or refilter),
examine the packets, and if they are not what I am interested in,
refilter on SMB2 and select the next packet, and so on. The workflow
is quite painful.

Is there a simpler way to do this?

If not, could we add a button for Next packet satisfying filter?

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe