Ask Your Question
0

Filtering odd-length binary data

asked 2021-07-26 17:20:51 +0000

sinaowolabi gravatar image

updated 2021-07-26 17:48:19 +0000

Hi!

Im struggling with extracting information from Wireshark. I need to be able to differentiate between correctly formatted tcp packet data, and incorrectly (odd-length) data that an application is receiving. For example, correctly formatted data from app logs looks like this:

2021-07-26T17:21:08+0100 [,client] Working with header 0000005f00000077000000000001fdb9ffffffff
2021-07-26T17:21:08+0100 [,client] Working with packet 0000005f00000077000000000001fdb9ffffffff2001393039313930393034350000000000000000000000393031000000000000
0000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] Working with body 20013930393139303930343500000000000000000000003930310000000000000000000000000000000000002a3930312a36363600
000000000000000000000000002a3930312a36363623

Incorrectly formatted data looks like this (also from the logs):

2021-07-26T17:21:08+0100 [,client] Working with header 0000005f00000077000000000001ba0fffffffff
2021-07-26T17:21:08+0100 [,client] Working with packet 0000005f00000077000000000001ba0fffffffff2001383137303038323034300000000000000000000000393031000000000000
0000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] Working with body 20013831373030383230343000000000000000000000003930310000000000000000000000000000000000002a3930312a36363600
000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] 'Error parsing packet (Odd-length string): 0000005f00000077000000000001ba0fffffffff20013831373030383230343000000000000000000000003930310000000000000000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623'

How can I filter out and present the packets that contain the odd length strings, from the tcp data?

With hindsight, I guess I am asking how do I write a display filter to capture binary data that looks contains this: 2a3930312a363636000 ?

Thanks, I hope I am clear!

edit retag flag offensive close merge delete

Comments

What is it about the data that determines it's an "odd-length"? To TCP it's just data.

grahamb gravatar imagegrahamb ( 2021-07-26 17:47:38 +0000 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2021-07-26 17:59:09 +0000

grahamb gravatar image

Unfortunately the hex string you have posted isn't a valid set of bytes as it's one character short (or too long). To filter tcp packets that contains arbitrary hex bytes use the filter contains followed by the bytes with : separators, e.g.

tcp contains 2a:39:30:31:2a:36:36:36:00
edit flag offensive delete link more

Comments

Wow, that's exactly what I am trying to show (and what the application is rejecting as odd-length packet). Please how did you find out it was short or too long?

sinaowolabi gravatar imagesinaowolabi ( 2021-07-26 18:03:18 +0000 )edit

When I inserted the colon separators, I had a single 0 left over. I'm talking about the substring you mentioned 2a3930312a363636000.

grahamb gravatar imagegrahamb ( 2021-07-26 18:17:45 +0000 )edit

Also note that the hex-string 2a:39:30:31:2a:36:36:36 is equal to the ASCII-string *901*666. So if the test for the trailing null-byte is not necessary this filter is also possible:

tcp contains "*901*666"
André gravatar imageAndré ( 2021-07-26 18:50:13 +0000 )edit

Oh right thanks a lot

sinaowolabi gravatar imagesinaowolabi ( 2021-07-26 20:15:31 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-07-26 17:20:51 +0000

Seen: 416 times

Last updated: Jul 26 '21