Re: [Wireshark-users] packet payload string or hex filter
Sake Blok wrote: On Thu, Feb 21, 2008 at 10:01:48PM -0700, Stephen Fisher wrote: ... This is not currently possible because there is no field that contains the contents of the entire frame. Actually, there is - frame. Well, if the capture file consists of only ethernet frames, then you can use the following filters: eth contains blablabla (string) eth contains 00403f (hex) Those filters will match any packet that contains the string blablabla (or the byte sequence 00 40 3f) anywhere in the packet. And frame contains blablabla or frame contains 00:40:3f (rather than 00403f, if you're searching for a byte with the value hex 00, followed by a byte with the value hex 40, followed by a byte with the value hex 3f) will match regardless of whether the frames are Ethernet frames or not. Note, however, that matches a link-layer frame, so if you're looking for, for example, an HTTP request or reply containing the string foobar, that won't match an HTTP request in which one TCP segment ends with foo and the next TCP segment begins with bar. In that case, you'd need to search for http contains method which *will*, as far as I know, match that. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] packet payload string or hex filter
On Fri, Feb 22, 2008 at 01:49:29AM -0800, Guy Harris wrote: Sake Blok wrote: On Thu, Feb 21, 2008 at 10:01:48PM -0700, Stephen Fisher wrote: ... This is not currently possible because there is no field that contains the contents of the entire frame. Actually, there is - frame. And frame contains blablabla or frame contains 00:40:3f Thanks for the correction. I tried it last night and I thought it wasn't working when I typed frame contains, but this morning it does indeed work. :O Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] packet payload string or hex filter
Hello, I'm wondering if wireshark support string or hex filier similar to following syntax: data.data include or content blablabla The issue is that the filter should goes over the whole packet to match that string. Best regards, Grzegorz ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] packet payload string or hex filter
On Fri, Feb 22, 2008 at 03:38:23AM +0100, Grzegorz Szczytowski wrote: I'm wondering if wireshark support string or hex filier similar to following syntax: data.data include or content blablabla The issue is that the filter should goes over the whole packet to match that string. This is not currently possible because there is no field that contains the contents of the entire frame. Maybe we should add one under the frame dissector? This leaves you with the find packet search that allows hex values or strings. Steve ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
