Filtering odd-length binary data
Hi!
Im struggling with extracting information from Wireshark. I need to be able to differentiate between correctly formatted tcp packet data, and incorrectly (odd-length) data that an application is receiving. For example, correctly formatted data from app logs looks like this:
2021-07-26T17:21:08+0100 [,client] Working with header 0000005f00000077000000000001fdb9ffffffff
2021-07-26T17:21:08+0100 [,client] Working with packet 0000005f00000077000000000001fdb9ffffffff2001393039313930393034350000000000000000000000393031000000000000
0000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] Working with body 20013930393139303930343500000000000000000000003930310000000000000000000000000000000000002a3930312a36363600
000000000000000000000000002a3930312a36363623
Incorrectly formatted data looks like this (also from the logs):
2021-07-26T17:21:08+0100 [,client] Working with header 0000005f00000077000000000001ba0fffffffff
2021-07-26T17:21:08+0100 [,client] Working with packet 0000005f00000077000000000001ba0fffffffff2001383137303038323034300000000000000000000000393031000000000000
0000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] Working with body 20013831373030383230343000000000000000000000003930310000000000000000000000000000000000002a3930312a36363600
000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] 'Error parsing packet (Odd-length string): 0000005f00000077000000000001ba0fffffffff20013831373030383230343000000000000000000000003930310000000000000000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623'
How can I filter out and present the packets that contain the odd length strings, from the tcp data?
With hindsight, I guess I am asking how do I write a display filter to capture binary data that looks contains this: 2a3930312a363636000
?
Thanks, I hope I am clear!
What is it about the data that determines it's an "odd-length"? To TCP it's just data.