Selecting packets matching user-defined criteria
You can use the command and Select dialog to select captured packets based on various selection criteria. You can choose to select either all packets matching your criteria, or all packets not matching your criteria. Only the visible packets displayed in the active capture window can be selected.
The selection criteria includes the following:
• Packets matching one or more filters
• Packets containing a certain ASCII or hex string
• Packets that are of a certain length
• Packets that match a specific Analysis Module
NOTE: In a Capture Engine capture window, the Select dialog selects all matching packets in the capture buffer resident on the Capture Engine.
IMPORTANT: Packet slicing can affect the operation of some selection tools. When used from the Select dialog, filters, Analysis Modules and other selection tools read packet contents from the captured packets to determine protocols, addresses and related information. If the packet slice value was set in such a way as to discard some of the information these tools expect to find, they will not be able to identify packet attributes correctly.
To use the Select dialog to select packets:
1. On the menu, click. The Select Packets dialog appears.
2. Complete the dialog:
• Matches one or more filters: Select this option to select packets that match one or more filters, and then select which filters that you want to match in the filter box below this option. When multiple filters are enabled simultaneously, the result is the equivalent of a logical OR statement: a packet matching any one of the enabled filters will be considered a match.
• Contains ASCII: Select this option to select packets that contain a specific ASCII string, and then enter the ASCII string in the box next to this option.
• Contains hex: Select this option to select packets that contain a specific hex value, and then enter the hex value in the box next to this option.
NOTE: The Contains ASCII and Contains hex options search through the raw packet data, not the packet decode. In the raw packet data, ASCII text will only be present when the packet contains application data which uses that encoding, such as the body of an email message, a web page, and so forth. Packet headers, including source and destination addresses, are hexadecimal.
• Length is between ____ and _____ bytes: Select this option to select packets that are of a certain length, and then type or enter the minimum and maximum number of bytes
• Analysis Module: Select this option to select packets that match an Analysis Module, and then select which Analysis Module that you want to match from the list.
NOTE: When you open the Select dialog for a Capture Engine capture window, only the relevant Analysis Modules available on the Capture Engine will be shown. If you disabled Analysis Modules for this Capture Engine capture window in the Analysis Options view of the remote Capture Options dialog, no packets will be selected when you choose the Analysis Modules option in the Select dialog.
• Packet range: Select this option to select packets that are within a range of packets, and then enter the desired range.
• Packet time: Select this option to select packets that are within a specific time range, and then specify the time range by selecting or entering both the starting and ending dates and times.
• Match: Select this option to select packets that match your selection criteria.
• Do not match: Select this option to select packets that do not match your selection criteria.
• Replace: Select this option to display only the newly selected packets.
• Add to: Select this option to display any packets currently selected and the newly selected packets.
• Selected: Displays the number of packets selected.
• Select Packets: Click to select packets that match your selection criteria. Once you click Select Packets, a Selection Results dialog appears noting how many packets were selected. You can then choose the option to , , , or to simply close the dialog without further action.
3. Click to perform the selection.
The Selection Results dialog appears, showing the number of packets selected that match the selection criteria.
4. Click one of the following on the dialog:
• Highlight selected packets: Click to highlight all items that were found that do match the related packets.
• Hide selected packets: Click to hide all items that were found that do match the related packets.
• Hide unselected packets: Click to hide all items that were found that do not match the related packets.
• Copy selected packets to new window: Click to copy all items that were found that do match the related packets into a new capture window.
This creates a temporary capture window called [capture window name] - Selection, containing only the related packets. The packets are renumbered, but the original packet order is retained.
• Label selected packets: Click to label the selected packets with the selected highlight color.
NOTE: To unhide packets, use Unhide All Packets from the menu. You can also press from the keyboard.