Ethereal-users: Re: [Ethereal-users] String search of packet details for hash value
If that hash appears in a given protocol field, that's fairly easy to
search for with a display filter expression:
protocol.field_name == "hash_value"
Or with regular expressions, just in case the hash is displayed as
ASCII hex characters:
protocol.field_name matches "(?i)hash_value"
This is a case-insensitive search which will try to search for BACD as
well as bacd or BacD etc.
If that hash only apears in binary fashion, and the hash appears as a
dissected protocol field, then the following expression will do:
protocol.field_name == hash_value
If however that hash does not appear as (part of) a dissected field,
then you can still use constructs like:
frame matches "(?i)hash_value"
or even:
frame matches "\x1a\x2b\x3c\x4d"
if the hash appears as binary with hexadecimal representation
0x1a2b3c4d.
Hope tis helps!
Best regards,
Olivier
----- Original Message -----
From: Daily, Gregory S
| Using version 0.10.5a on Win XP Pro.
|
| Conducting a long term packet capture and need to find
specific packet containing a hash value for a downloaded file. I can
find the value by manualy searching each packet, however doing an
automated string search of the packet details does not find the value
even when I know it is there. Any suggestions???
