Wireshark-users: Re: [Wireshark-users] Searching for a particular sequence in apacket
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Mon, 5 Oct 2009 13:15:47 +0200
Hi Hussain,
 
Good to hear that the filter helps you achieve your goal. The reason why no "|" is needed, is because with "[...]" you make a set of characters. With "[0-9a-fA-F]" you can match any hexadecimal digit for example. So the *or* is implicit in "[...]", but you can only use single characters or ranges of characters. When you want to match something more complex like either "cat" or "dog", you will have to use the "|" sign like in "cat|dog". In your case, you could also have used the filter "tcp matches '\xe3....(\x4c|\x38|\x58)"'.
 
For more info: http://www.pcre.org/, as wireshark uses the PCRE library...
 
Cheers,
 
 
Sake
 
----- Original Message -----
From: Hussain
Sent: Monday, October 05, 2009 12:24 PM
Subject: Re: [Wireshark-users] Searching for a particular sequence in apacket

Hi Sake thanks a lot.

I tried the recommended filter below. However, I still faced some problems with certain packets not showing up. But then I tried the following filter
tcp matches "\xe3....[\x4c\x38\x58]"

and I believe I got all the packets plus a few false positives. I know this increases the chance of false positives, but this seemed to give the results I was looking for with more reliability.

And oh, I was just curious about one thing. Why did we not need to use the "|" (i.e. the pipe) operator in the _expression_ above? I thought that the | operator would have been necessary, with the statement being [\x4c|\x38|\x58]. Maybe I am just confusing things.

Thanks once again.

Regards,
Hussain.



On Mon, Oct 5, 2009 at 3:21 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
Hi Hussain,
 
Unfortunately there is not (yet) a field "tcp.data", which would overcome your TCP options issue. However, with the field data.data you could accomplish what you need, it just might give you some "false positives". Here is what you could use:
 
data.data matches c
 
Which will match any *packet* in which there is an octet with the value 0xE3 followed by random octets with any value (represented by the dots) and then an octet with a value of either 0x4C, 0x38 or 0x58.
 
If however this sequense is segmented over 2 packets, the filter would not match. If the field tcp.data was available *and* the protocol dissector is able to reassemble the tcp-data, then the filter 'tcp.data matches "\xe3....[\x4c\x38\x58]"' would be exactly what you need.
 
Cheers,
 
 
Sake
 
----- Original Message -----
From: Hussain
Sent: Monday, October 05, 2009 9:37 AM
Subject: Re: [Wireshark-users] Searching for a particular sequence in apacket

Hi, have been trying but have still been unsuccessful in trying to come up with the right filters :(

For example I wanted to know which packets had the following sequence;
First byte of the TCP data load is 0xe3, and then the fifth byte after 0xe3 should be either 0x4c, or 0x38, or 0x58.

To do this I came up with the following filters
1. data[0:1] == e3 and (data[5:1] == 4c or data[5:1] == 38 or data[5:1] == 58 )
2. data.data[0:1] == e3 and (data.data[5:1] == 4c or data.data[5:1] == 38 or data.data[5:1] == 58 )
3. tcp[20:1] eq e3 and (tcp[25:1] eq 4c or tcp [25:1] eq 38 or tcp [25:1] eq 58)

Filters 1 and 2 apparently did not seem to work. In the capture file I had, there were at least two packets with the sequence, 0xe3 hex hex hex hex 0x4c, and hex simply represent any hex value. And the filters 1 and 2 only seemed to find 1 of the packets.

I seemed to be able to get things to work correctly with filter number 3. However, the problem with number 3 is that it would not work if the tcp header had options enabled in it, and at the moment I do not know how to over come that. Also does anyone know what I would do in the case where, I didn't know that e3 was in the first byte, and just knew that 4 bytes after e3, I would find either 4c, 38, or 58.

I have attached the sample pcap that I was using along with this e-mail as well.

Thanks for all the help.

Regards,
Hussain.


On Sat, Sep 26, 2009 at 2:53 AM, Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx> wrote:

On Sep 25, 2009, at 12:06 AM, Hussain wrote:

> Also I was just wondering it was possible to search with offsets.
> For example, I want to search for packets where the first byte is
> let's say \xe3 (HEX), and then after four bytes, I get the string
> \x45 (HEX value). I.e. one such possible sequence could be, e3 09 08
> ff f3 45.

This page should help with display filters:

  http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe