Wireshark · Ethereal-users: Re: [ethereal-users] Find filter question

Ethereal-users: Re: [ethereal-users] Find filter question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>

Date: Mon, 11 Sep 2000 20:09:18 -0700

On Mon, Sep 11, 2000 at 06:27:15PM -0700, Gary Taylor wrote:
> In working with the find filter, is it possible to search for text.  The man
> page indicates that each protocol field is typed.  Not sure what that means.

It means that protocol field all have data types, i.e. a field can be
one of the types listed in the man page right after it says
"Furthermore, each protocol field is typed.":

           Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
           Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
           Boolean
           Ethernet address (6 bytes)
           Byte string (n-number of bytes)
           IPv4 address
           IPv6 address
           IPX network number
           String (text)
           Double-precision floating point number

so that if you're filtering on the value of an unsigned integer protocol
field, you'd compare it with an unsigned integer value, and if you're
filtering on the value of an IPv4 address field, you'd compare it with
an IPv4 address value (such as "192.9.200.73", or a host name that could
be translated to an IPv4 address), and so on.

> What I'm trying to do is search using the Edit>Find Frame feature.

As noted in Gilbert's reply, you can't currently construct a display
filter that checks for for raw data values appearing anywhere in a
packet - you can have a filter that checks for raw data values appearing
at a particular offset in a packet, but you can't build a filter that'll
match packets that have 0xff 0xfd 0x28, in sequence, *anywhere* in the
packet.

(Note also that the filter expressions in "Edit->Find Frame" are
*exactly* the same as those in the display filter box, so it's not as if
there's something you can do with one that you can't do with the other.)

> If I prepend it with the word
> text eq it gives me an error and closes Ethereal.

As you might infer from Gilbert's reply, what "closed" Ethereal was your
X server, because Ethereal exited at that point - and did so because a
check internal to Ethereal found an internal error, i.e. something
happened that the code wasn't prepared to have happen.

I.e., it was a crash; fortunately, it was easy to reproduce, and we know
where it's blowing up (the only question at this point is the precise
changes to make internally to Ethereal to make it not happen).  If
Ethereal spontaneously disappears, it's almost certainly a crash, and
almost certainly means that there's a core dump file; see the "How to
Report a Bug" section in the Ethereal README file.  (For this particular
crash, you don't have to take the steps listed there, as we can make the
crash happen on demand, and already know where it's blowing up.)

References:
- [ethereal-users] Find filter question
  - From: Gary Taylor

Prev by Date: Re: [ethereal-users] Find filter question
Next by Date: [no subject]
Previous by thread: Re: [ethereal-users] Find filter question
Next by thread: [no subject]
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$