This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Difference between “Edit -> Find Packet…” and “tcp contains”

0

Hi. In the past, I have used "tcp contains <string>" to filter on packets containing a certain string. In the more recent past, I seem to be having problems getting this to work. Here is an example from today...

With a trace file open, applying the filter [tcp contains "prgetWindows"] finds zero packets. However, if I do Edit -> Find Packet... and enter prgetWindows, as a string, I find lots of packets.

(and, Yes, the packets are TCP packets :-) )

What am I doing wrong, or not understanding?

thx all, Michael

asked 18 Sep '10, 08:26

feenyman99's gravatar image

feenyman99
96222226
accept rate: 25%

Sorry for the delay - a production problem has me buried. I've done more testting...

For simplicity, my search string is now "prget". Find Packet "prget" works fine. The below filters DO NOT WORK: tcp matches "[Pp][Rr][Gg][Ee][Tt]" tcp contains "prget" tds contains "prget" (It is actually TDS traffic)

I don't have a place to Post the capture file (although I could make it small enough to email), but below is a snippet of "Follow TCP Stream" output...

Thx again for any ideas.

    d b o . p r g e t W I n d o w s S e r v i c e R u n F l a g  S F ã  ?

(25 Sep '10, 14:12) feenyman99

It might be a character encoding issue. Not sure... If you want, you can send me ([email protected]) the capture so I can have a look at it.

(25 Sep '10, 15:19) SYN-bit ♦♦

2 Answers:

1

Try tcp matches "p.r.g.e.t". If the traffic is TDS then strings on the wire might be encoded as UCS-2. I don't think PCRE supports UCS-2/UTF-16 but you should be able fake it for ASCII strings by adding a period between each character. You can make the match case-insensitive using the "i" flag, e.g. tcp matches "(?i)p.r.g.e.t".

answered 25 Sep '10, 16:07

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

OK - <tcp matches="" "p.r.g.e.t"=""> WORKS! And, by the way, <find "p.r.g.e.t"=""> does NOT. I must use <find "prget"="">.

So I deduce from your helpful answers that this is a character encoding issue. Is there something I can read that will help me learn when I can use <tcp contains="" "string"=""> versus <tcp matches="" "s.t.r.i.n.g"="">?

I have emailed a trace snippet to SYNbit, in case it's useful.

THANX to both of you for your help.

(26 Sep '10, 06:11) feenyman99

1

One difference between the find function and "tcp contains ..." is that the find function will by default use a case insensitive search. What happens when you select "case sensitive" in the find function, does it also not find any packets?

And does the filter tcp matches "[Pp][Pr][Gg][Ee][Tt][Ww][Ii][Nn][Dd][Oo][Ww][Ss]" show any packets?

If so, then it's a case issue. If not we need to look deeper, but then it would be handy to be able to look at the capture file, can you post it somewhere as this site does not (yet) have file-upload capabilities?

answered 18 Sep '10, 09:03

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

1

Another difference between the "Find" function and "tcp contains" is that the "Find" function will, by default, search for characters (with codes in the range 1-255) encoded both as single-byte codes and as either big-endian or little-endian UCS-2/UTF-16 (by ignoring bytes with the value 0). As per Gerald's answer, the matching used for "XXX contains" doesn't handle UCS-2/UTF-16.

(06 Oct '10, 16:26) Guy Harris ♦♦