Wireshark mailing list archives
Re: Searching for a particular sequence in a packet
From: Hussain <conundrums () gmail com>
Date: Mon, 5 Oct 2009 13:37:09 +0600
Hi, have been trying but have still been unsuccessful in trying to come up with the right filters :( For example I wanted to know which packets had the following sequence; First byte of the TCP data load is 0xe3, and then the fifth byte after 0xe3 should be either 0x4c, or 0x38, or 0x58. To do this I came up with the following filters 1. data[0:1] == e3 and (data[5:1] == 4c or data[5:1] == 38 or data[5:1] == 58 ) 2. data.data[0:1] == e3 and (data.data[5:1] == 4c or data.data[5:1] == 38 or data.data[5:1] == 58 ) 3. tcp[20:1] eq e3 and (tcp[25:1] eq 4c or tcp [25:1] eq 38 or tcp [25:1] eq 58) Filters 1 and 2 apparently did not seem to work. In the capture file I had, there were at least two packets with the sequence, 0xe3 hex hex hex hex 0x4c, and hex simply represent any hex value. And the filters 1 and 2 only seemed to find 1 of the packets. I seemed to be able to get things to work correctly with filter number 3. However, the problem with number 3 is that it would not work if the tcp header had options enabled in it, and at the moment I do not know how to over come that. Also does anyone know what I would do in the case where, I didn't know that e3 was in the first byte, and just knew that 4 bytes after e3, I would find either 4c, 38, or 58. I have attached the sample pcap that I was using along with this e-mail as well. Thanks for all the help. Regards, Hussain. On Sat, Sep 26, 2009 at 2:53 AM, Stephen Fisher <steve () stephen-fisher com>wrote:
On Sep 25, 2009, at 12:06 AM, Hussain wrote:Also I was just wondering it was possible to search with offsets. For example, I want to search for packets where the first byte is let's say \xe3 (HEX), and then after four bytes, I get the string \x45 (HEX value). I.e. one such possible sequence could be, e3 09 08 ff f3 45.This page should help with display filters: http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe
Attachment:
sample.pcap
Description:
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Searching for a particular sequence in a packet Hussain (Oct 05)
- Re: Searching for a particular sequence in apacket Sake Blok (Oct 05)
- Re: Searching for a particular sequence in apacket Hussain (Oct 05)
- Re: Searching for a particular sequence in apacket Sake Blok (Oct 05)
- Re: Searching for a particular sequence in apacket Hussain (Oct 05)
- Re: Searching for a particular sequence in apacket Sake Blok (Oct 05)