Ethereal-users: RE: [Ethereal-users] Find Frame / Filtering

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Evers, John E." <JEVERS@xxxxxxx>
Date: Tue, 27 Aug 2002 08:15:14 -0500
Martin,

Thanks for the reply

I've tried on this on both 0.95 and 0.9.6 WIN32 with the same results.

As I don't know the offset in the payload hex data stream I cannot use the
workaround.  I search for file names, values being read from a database file
and database error codes.  The application I support, as a customer support
person not a programmer, does not do the best job of interpreting error
codes so I use network traces to determine the actual cause of failures.

Thanks again,
John



		-----Original Message-----
		From:	Visser, Martin (Sydney)
[mailto:Martin.Visser@xxxxxx]
		Sent:	Monday, August 26, 2002 6:21 PM
		To:	ethereal-users@xxxxxxxxxxxx
		Cc:	Evers, John E.
		Subject:	RE: [Ethereal-users] Find Frame / Filtering

		You're right, there is something broken (at least in 0.9.3
on win32).
		However there is a workaround that may work for you. 
		For the bug fixers the following two examples DO match
packets correctly
		:-

		ipx[0:2] == "ff:ff"
		ipx[0:8] == "ff:ff:00:72:03:11:0a:8f"
		ipx[0] == "ff" && ipx [1] == "ff"

		But the following DON'T match

		ipx[0:] == "ff:ff"
		ipx[0:1] == "ff:ff"
		ipx[0:42] == "ff:ff"


		It seems that an open ended range or a range that doesn't
exactly match
		the number of bytes in the match string doesn't work.

		-----Original Message-----
		From: Evers, John E. [mailto:JEVERS@xxxxxxx] 
		Sent: Tuesday, 27 August 2002 7:44 AM
		To: ethereal-users@xxxxxxxxxxxx
		Subject: [Ethereal-users] Find Frame / Filtering


		Hi,

		I do a lot of tracing which requires searching / filtering
on the data
		stream.

		I have tried the "Find Frame" and "Filtering" options with
the following
		parameters.  

		smb[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex
data stream
		from
		the hex data of a trace.
		ip[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex data
stream from
		the
		hex data of a trace.
		tcp[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex
data stream
		from
		the hex data of a trace.
		data[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex
data stream
		from
		the hex data of a trace.

		I've have also tried to search for hex streams that were not
separated
		by the 00 hex characters as in the above example, same
results.


		Applying as a Filter displays no results and Find Frame
responds with a
		"No Packet Matched Filter" message.  

		I am guessing Ethereal dose not support this, but as it is
important to
		me I want to make sure before I abandon it for this
application.

		Thanks for any feed back.

		John


	
************************************************************************
		**** 
		This email may contain confidential material. 
		If you were not an intended recipient, 
		Please notify the sender and delete all copies. 
		We may monitor email to and from our network. 
	
************************************************************************
		****
		_______________________________________________
		Ethereal-users mailing list
		Ethereal-users@xxxxxxxxxxxx
		http://www.ethereal.com/mailman/listinfo/ethereal-users

**************************************************************************** 
This email may contain confidential material. 
If you were not an intended recipient, 
Please notify the sender and delete all copies. 
We may monitor email to and from our network. 
****************************************************************************