Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Searching for a particular sequence in apacket

From: "Sake Blok" <sake () euronet nl>
Date: Mon, 5 Oct 2009 13:15:47 +0200
Hi Hussain,

Good to hear that the filter helps you achieve your goal. The reason why no "|" is needed, is because with "[...]" you 
make a set of characters. With "[0-9a-fA-F]" you can match any hexadecimal digit for example. So the *or* is implicit 
in "[...]", but you can only use single characters or ranges of characters. When you want to match something more 
complex like either "cat" or "dog", you will have to use the "|" sign like in "cat|dog". In your case, you could also 
have used the filter "tcp matches '\xe3....(\x4c|\x38|\x58)"'.

For more info: http://www.pcre.org/, as wireshark uses the PCRE library...

Cheers,


Sake

  ----- Original Message ----- 
  From: Hussain 
  To: Community support list for Wireshark 
  Sent: Monday, October 05, 2009 12:24 PM
  Subject: Re: [Wireshark-users] Searching for a particular sequence in apacket


  Hi Sake thanks a lot. 

  I tried the recommended filter below. However, I still faced some problems with certain packets not showing up. But 
then I tried the following filter 
  tcp matches "\xe3....[\x4c\x38\x58]"

  and I believe I got all the packets plus a few false positives. I know this increases the chance of false positives, 
but this seemed to give the results I was looking for with more reliability.

  And oh, I was just curious about one thing. Why did we not need to use the "|" (i.e. the pipe) operator in the 
expression above? I thought that the | operator would have been necessary, with the statement being [\x4c|\x38|\x58]. 
Maybe I am just confusing things. 

  Thanks once again. 

  Regards,
  Hussain. 




  On Mon, Oct 5, 2009 at 3:21 PM, Sake Blok <sake () euronet nl> wrote:

    Hi Hussain,

    Unfortunately there is not (yet) a field "tcp.data", which would overcome your TCP options issue. However, with the 
field data.data you could accomplish what you need, it just might give you some "false positives". Here is what you 
could use:

    data.data matches c

    Which will match any *packet* in which there is an octet with the value 0xE3 followed by random octets with any 
value (represented by the dots) and then an octet with a value of either 0x4C, 0x38 or 0x58.

    If however this sequense is segmented over 2 packets, the filter would not match. If the field tcp.data was 
available *and* the protocol dissector is able to reassemble the tcp-data, then the filter 'tcp.data matches 
"\xe3....[\x4c\x38\x58]"' would be exactly what you need.

    Cheers,


    Sake

      ----- Original Message ----- 
      From: Hussain 
      To: Community support list for Wireshark 
      Sent: Monday, October 05, 2009 9:37 AM
      Subject: Re: [Wireshark-users] Searching for a particular sequence in apacket


      Hi, have been trying but have still been unsuccessful in trying to come up with the right filters :(

      For example I wanted to know which packets had the following sequence; 
      First byte of the TCP data load is 0xe3, and then the fifth byte after 0xe3 should be either 0x4c, or 0x38, or 
0x58. 

      To do this I came up with the following filters
      1. data[0:1] == e3 and (data[5:1] == 4c or data[5:1] == 38 or data[5:1] == 58 )
      2. data.data[0:1] == e3 and (data.data[5:1] == 4c or data.data[5:1] == 38 or data.data[5:1] == 58 )
      3. tcp[20:1] eq e3 and (tcp[25:1] eq 4c or tcp [25:1] eq 38 or tcp [25:1] eq 58)

      Filters 1 and 2 apparently did not seem to work. In the capture file I had, there were at least two packets with 
the sequence, 0xe3 hex hex hex hex 0x4c, and hex simply represent any hex value. And the filters 1 and 2 only seemed to 
find 1 of the packets. 

      I seemed to be able to get things to work correctly with filter number 3. However, the problem with number 3 is 
that it would not work if the tcp header had options enabled in it, and at the moment I do not know how to over come 
that. Also does anyone know what I would do in the case where, I didn't know that e3 was in the first byte, and just 
knew that 4 bytes after e3, I would find either 4c, 38, or 58. 

      I have attached the sample pcap that I was using along with this e-mail as well. 

      Thanks for all the help. 

      Regards,
      Hussain. 



      On Sat, Sep 26, 2009 at 2:53 AM, Stephen Fisher <steve () stephen-fisher com> wrote:


        On Sep 25, 2009, at 12:06 AM, Hussain wrote:

        > Also I was just wondering it was possible to search with offsets.
        > For example, I want to search for packets where the first byte is
        > let's say \xe3 (HEX), and then after four bytes, I get the string
        > \x45 (HEX value). I.e. one such possible sequence could be, e3 09 08
        > ff f3 45.


        This page should help with display filters:

          http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
        ___________________________________________________________________________
        Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
        Archives:    http://www.wireshark.org/lists/wireshark-users
        Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
                    mailto:wireshark-users-request () wireshark org?subject=unsubscribe





--------------------------------------------------------------------------


      ___________________________________________________________________________
      Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
      Archives:    http://www.wireshark.org/lists/wireshark-users
      Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
                   mailto:wireshark-users-request () wireshark org?subject=unsubscribe

    ___________________________________________________________________________
    Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
    Archives:    http://www.wireshark.org/lists/wireshark-users
    Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
                mailto:wireshark-users-request () wireshark org?subject=unsubscribe





------------------------------------------------------------------------------


  ___________________________________________________________________________
  Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
  Archives:    http://www.wireshark.org/lists/wireshark-users
  Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
               mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: