Skip to content

Commit

Permalink
Add information on the packet search feature to the user guide
Browse files Browse the repository at this point in the history
  • Loading branch information
@gcla
gcla authored Jun 1, 2022
1 parent d0e1859 commit efaeaa3
Showing 1 changed file with 25 additions and 0 deletions.
25 changes: 25 additions & 0 deletions docs/UserGuide.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Termshark provides a terminal-based user interface for analyzing packet captures
- [Packet Structure View](#packet-structure-view)
- [Packet Hex View](#packet-hex-view)
- [Marking Packets](#marking-packets)
- [Searching Packets](#searching-packets)
- [Copy Mode](#copy-mode)
- [Packet Capture Information](#packet-capture-information)
- [Stream Reassembly](#stream-reassembly)
Expand Down Expand Up @@ -252,6 +253,30 @@ To jump back to that mark, hit `'` followed by the letter you selected. To jump

![marks2](/../gh-pages/images/marks2.png?raw=true)

### Searching Packets

To search within packets, hit `ctrl-f` to open termshark's search bar. The options provided closely mirror those available with Wireshark. The first button displays a menu that lets you choose the type of data searched:

- Packet List - the info shown in the packet list view (by default the top data pane)
- Packet Struct - the info shown in the packet struct view (by default the middle data pane)
- Packet Bytes - the info shown in the packet hex view (by default the bottom data pane)

The second button lets you choose what to search for:

- String (with or without case sensitivity)
- Regex (with or without case sensitivity)
- Hex
- Display Filter

The Hex syntax follows Wireshark and requires a sequence of 2 hex-digits, concatenated. For example, entering "AF054c" would mean to search for the following 3 bytes, consecutively - 175, 5, 76.

Display Filter search is a special case and does not search the packet data directly. Instead, termshark launches a tshark process on the current pcap source with flags to apply the user's search filter. Termshark parses the output and every packet that appears in the PSML data is a match for the search.

If a match is found, termshark will navigate to the match location in the UI. For a Packet List search, the matching row and column are selected. For a Packet Struct search, the matching element in the packet structure view is expanded and the UI centered around it. For a Packet Bytes search, the cursor is moved to the start of the match in the packet hex view.

To terminate the search early, hit `ctrl-c`. To set focus on the search bar's input, hit `ctrl-f` again. To close the search bar, hit `ctrl-f` one more time.


### Copy Mode

Both the structure and hex view support "copy mode" a feature which lets you copy ranges of data from the currently selected packet. First, move focus to the part of the packet you wish to copy. Now hit the `c` key - a section of the packet will be highlighted in yellow:
Expand Down

0 comments on commit efaeaa3

Please sign in to comment.