|
Hi Hussain,
Unfortunately there is not (yet) a field
"tcp.data", which would overcome your TCP options issue. However, with the field
data.data you could accomplish what you need, it just might give you some "false
positives". Here is what you could use:
data.data matches
"\xe3....[\x4c\x38\x58]"
Which will match any *packet* in which there is an
octet with the value 0xE3 followed by random octets with any value (represented
by the dots) and then an octet with a value of either 0x4C, 0x38 or
0x58.
If however this sequense is segmented over 2
packets, the filter would not match. If the field tcp.data was available *and*
the protocol dissector is able to reassemble the tcp-data, then the filter
'tcp.data matches "\xe3....[\x4c\x38\x58]"' would be exactly what you
need.
Cheers,
Sake
----- Original Message -----
Sent: Monday, October 05, 2009 9:37
AM
Subject: Re: [Wireshark-users] Searching
for a particular sequence in apacket
Hi, have been trying but have still been unsuccessful in trying
to come up with the right filters :(
For example I wanted to know which
packets had the following sequence;
First byte of the TCP data load is
0xe3, and then the fifth byte after 0xe3 should be either 0x4c, or 0x38, or
0x58.
To do this I came up with the following filters
1. data[0:1]
== e3 and (data[5:1] == 4c or data[5:1] == 38 or data[5:1] == 58 )
2.
data.data[0:1] == e3 and (data.data[5:1] == 4c or data.data[5:1] == 38 or
data.data[5:1] == 58 )
3. tcp[20:1] eq e3 and (tcp[25:1] eq 4c or tcp
[25:1] eq 38 or tcp [25:1] eq 58)
Filters 1 and 2 apparently did not
seem to work. In the capture file I had, there were at least two packets with
the sequence, 0xe3 hex hex hex hex 0x4c, and hex simply represent any hex
value. And the filters 1 and 2 only seemed to find 1 of the packets.
I
seemed to be able to get things to work correctly with filter number 3.
However, the problem with number 3 is that it would not work if the tcp header
had options enabled in it, and at the moment I do not know how to over come
that. Also does anyone know what I would do in the case where, I didn't know
that e3 was in the first byte, and just knew that 4 bytes after e3, I would
find either 4c, 38, or 58.
I have attached the sample pcap that I was
using along with this e-mail as well.
Thanks for all the help.
Regards,
Hussain.
On Sat, Sep 26, 2009 at 2:53 AM, Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
wrote:
On Sep 25, 2009, at 12:06 AM, Hussain wrote:
>
Also I was just wondering it was possible to search with offsets.
>
For example, I want to search for packets where the first byte is
>
let's say \xe3 (HEX), and then after four bytes, I get the string
>
\x45 (HEX value). I.e. one such possible sequence could be, e3 09 08
>
ff f3 45.
This page should help with display
filters:
http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
___________________________________________________________________________
Sent
via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:
http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent
via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:
http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
|
