E.g. some communication protocol declares that client should start conversation by sending some data starting with «aa:bb» bytes. How could I filter streams that are candidates for such a protocol?
some communication protocol
In the absence of a dissector for that protocol, I can only suggest something like this:
data contains aa:bb
or assuming it's a TCP-based protocol, maybe this:
tcp contains aa:bb
But that is bound to match packets you're not interested in. If you are sure of the offset of those bytes within the TCP segment, then you might be able to get away with using the slice operator instead, for example:
tcp[20:2] == aa:bb
If the protocol is TCP-based though, then there may not be any guarantee that a protocol PDU aligns with each TCP segment though, so that may not be reliable either. Anyway, those are a few options to try.
The best solution is probably to write a dissector for the protocol then you'd be able to filter on that 2-byte field, regardless of where it occurs in the stream.
Refer to the Wireshark filter man page for more help on Wireshark display filters.
Thanks! More exact expression is: tcp.payload[0:2] == aa:bb.
Nice, except that TCP is a streaming protocol so it's possible that upper layer PDU's can be split at any boundary, and therefore the offsets of the bytes of interest might not always be the same. This filter might work for you most of the time, but if you want to be sure you're matching all packets, regardless of segmentation boundaries, an explicit dissector for the upper layer protocol is thus always preferred.
Asked: 2018-06-07 13:42:09 +0000
Seen: 1,654 times
Last updated: Jun 07 '18
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
