 | 1 | initial version |
some communication protocol
In the absence of a dissector for that protocol, I can only suggest something like this:
data contains aa:bb
or assuming it's a TCP-based protocol, maybe this:
tcp contains aa:bb
But that is bound to match packets you're not interested in. If you are sure of the offset of those bytes within the TCP segment, then you might be able to get away with using the slice operator instead, for example:
tcp[20:2] == aa:bb
If the protocol is TCP-based though, then there may not be any guarantee that a protocol PDU aligns with each TCP segment though, so that may not be reliable either. Anyway, those are a few options to try.
The best solution is probably to write a dissector for the protocol then you'd be able to filter on that 2-byte field, regardless of where it occurs in the stream.
Refer to the Wireshark filter man page for more help on Wireshark display filters.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.