From efaeaa3de92f9e1f72e7fbc24beddc4f2986fa92 Mon Sep 17 00:00:00 2001 From: Graham Clark Date: Tue, 31 May 2022 22:16:12 -0400 Subject: [PATCH] Add information on the packet search feature to the user guide --- docs/UserGuide.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/docs/UserGuide.md b/docs/UserGuide.md index ac31f83..c162a2c 100644 --- a/docs/UserGuide.md +++ b/docs/UserGuide.md @@ -18,6 +18,7 @@ Termshark provides a terminal-based user interface for analyzing packet captures - [Packet Structure View](#packet-structure-view) - [Packet Hex View](#packet-hex-view) - [Marking Packets](#marking-packets) + - [Searching Packets](#searching-packets) - [Copy Mode](#copy-mode) - [Packet Capture Information](#packet-capture-information) - [Stream Reassembly](#stream-reassembly) @@ -252,6 +253,30 @@ To jump back to that mark, hit `'` followed by the letter you selected. To jump ![marks2](/../gh-pages/images/marks2.png?raw=true) +### Searching Packets + +To search within packets, hit `ctrl-f` to open termshark's search bar. The options provided closely mirror those available with Wireshark. The first button displays a menu that lets you choose the type of data searched: + +- Packet List - the info shown in the packet list view (by default the top data pane) +- Packet Struct - the info shown in the packet struct view (by default the middle data pane) +- Packet Bytes - the info shown in the packet hex view (by default the bottom data pane) + +The second button lets you choose what to search for: + +- String (with or without case sensitivity) +- Regex (with or without case sensitivity) +- Hex +- Display Filter + +The Hex syntax follows Wireshark and requires a sequence of 2 hex-digits, concatenated. For example, entering "AF054c" would mean to search for the following 3 bytes, consecutively - 175, 5, 76. + +Display Filter search is a special case and does not search the packet data directly. Instead, termshark launches a tshark process on the current pcap source with flags to apply the user's search filter. Termshark parses the output and every packet that appears in the PSML data is a match for the search. + +If a match is found, termshark will navigate to the match location in the UI. For a Packet List search, the matching row and column are selected. For a Packet Struct search, the matching element in the packet structure view is expanded and the UI centered around it. For a Packet Bytes search, the cursor is moved to the start of the match in the packet hex view. + +To terminate the search early, hit `ctrl-c`. To set focus on the search bar's input, hit `ctrl-f` again. To close the search bar, hit `ctrl-f` one more time. + + ### Copy Mode Both the structure and hex view support "copy mode" a feature which lets you copy ranges of data from the currently selected packet. First, move focus to the part of the packet you wish to copy. Now hit the `c` key - a section of the packet will be highlighted in yellow: