Data filter by byte not string

0

Hello All,

I want to search on the Data field of a TCP packet where I can search on a data byte pattern not a data string, Is this possible, if so how?

Regards

B

asked 13 Sep '11, 09:14

Baz's gravatar image

Baz
1222
accept rate: 0%

edited 13 Sep '11, 10:16

helloworld's gravatar image

helloworld
2.6k21739
One Answer:
oldestnewestmost voted
1

Yes, you can use display filter syntax to search for a particular byte sequence. Here's an example display filter to find {A1,B2,C3,D4} anywhere in tcp.data:

tcp.data contains A1:B2:C3:D4
link

answered 13 Sep '11, 10:15

helloworld's gravatar image

helloworld
2.6k21739
accept rate: 27%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×50

Asked: 13 Sep '11, 09:14

Seen: 5,731 times

Last updated: 13 Sep '11, 10:16

Related questions

is there any way for a display filter using previous matched packet field value as comparison value?

Wireshark 1.7 display filtering on Multiple capture interfaces

tcp.time_delta and tcp.time_relative not showing any values

display filter to show UDP packets which are not recognized UDP protocols like DNS, RTP etc.

More detail in displaying information

Display Filters - Importing Kismet pcapdump - Can I get unique MAC addresses?

Start wireshark gui with a pre-configured display filter already applied

Open Sound Control OSC, how to filter

How to apply display filter for a cap file and save it as seperate cap file with filtered data only by using Tshark..?

source and destination ports as seperate columns

about | faq | privacy | support | contact

powered by OSQA