The great thing about CloudShark’s capture decode is that it supports all of the standard Wireshark display filters. You may know the common ones, such as searching on ip address or tcp port, or even protocol; but did you know you can search for any ASCII or Hex values in any field throughout the capture?
It’s true. The “frame contains” filter will let you pick out only those packets that contain a sequence of any ASCII or Hex value that you specify. The syntax is simple. For example:
frame contains "cloudshark"
…will show you only those packets that contain the word “cloudshark” somewhere in them.
CloudShark lets you embed these filters right in the URL that you share. Take a look at this capture with the above filter applied:
The frame contains feature can also be used for Hex values. For example, if I only want to view the DNS query with transaction ID
You can even get more specific, using the “contains” filter to look at specific parts of a frame, such as
tcp contains or
Last but not least, you can of course always use the concatenation operators. For example, if I wanted to find my dns query for www.cloudshark.org:
Note that DNS records use various separators in place of literal dots “.”. As a result, to ensure that DNS packets appear when searching for domain names, the filter
frame contains “google” should be used instead of
frame contains “google.com”.
Very powerful tools indeed. Feel free to try your own filters on this capture!