Ask Your Question

How to filter tcp stream starting with given «magic» bytes?

asked 2018-06-07 13:42:09 +0000

Timofey Gorshkov gravatar image

E.g. some communication protocol declares that client should start conversation by sending some data starting with «aa:bb» bytes. How could I filter streams that are candidates for such a protocol?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2018-06-07 14:17:13 +0000

cmaynard gravatar image

some communication protocol

In the absence of a dissector for that protocol, I can only suggest something like this:

data contains aa:bb

or assuming it's a TCP-based protocol, maybe this:

tcp contains aa:bb

But that is bound to match packets you're not interested in. If you are sure of the offset of those bytes within the TCP segment, then you might be able to get away with using the slice operator instead, for example:

tcp[20:2] == aa:bb

If the protocol is TCP-based though, then there may not be any guarantee that a protocol PDU aligns with each TCP segment though, so that may not be reliable either. Anyway, those are a few options to try.

The best solution is probably to write a dissector for the protocol then you'd be able to filter on that 2-byte field, regardless of where it occurs in the stream.

Refer to the Wireshark filter man page for more help on Wireshark display filters.

edit flag offensive delete link more


Thanks! More exact expression is: tcp.payload[0:2] == aa:bb.

Timofey Gorshkov gravatar imageTimofey Gorshkov ( 2018-06-07 18:56:00 +0000 )edit

Nice, except that TCP is a streaming protocol so it's possible that upper layer PDU's can be split at any boundary, and therefore the offsets of the bytes of interest might not always be the same. This filter might work for you most of the time, but if you want to be sure you're matching all packets, regardless of segmentation boundaries, an explicit dissector for the upper layer protocol is thus always preferred.

cmaynard gravatar imagecmaynard ( 2018-06-08 01:46:01 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-06-07 13:42:09 +0000

Seen: 1,745 times

Last updated: Jun 07 '18