Wireshark · Ethereal-users: RE: [Ethereal-users] Find Frame / Filtering

Ethereal-users: RE: [Ethereal-users] Find Frame / Filtering

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Visser, Martin (Sydney)" <Martin.Visser@xxxxxx>

Date: Wed, 28 Aug 2002 08:05:35 +1000

Oh I see now, you want to search for the string. (The 0: range indicated
to me that you were trying to match the string at offset 0). If you need
to search for an ascii string you may want to try "tethereal -V -r
your_capture_file | grep the_string". (Or even just "strings
your_capture_file | grep the_string" though this won't tell you which
frame the string is in)

Martin Visser
Network Consultant - Global Services
COMPAQ, part of the new HP

3 Richardson Place
North Ryde, Sydney NSW 2113, Australia
Phone *: +61-2-9022-1670    Mobile *: +61-411-254-513
   Fax 7: +61-2-9022-1800     E-mail * : martin.visser@xxxxxx




-----Original Message-----
From: Evers, John E. [mailto:JEVERS@xxxxxxx] 
Sent: Tuesday, 27 August 2002 11:15 PM
To: Visser, Martin (Sydney); ethereal-users@xxxxxxxxxxxx
Cc: Evers, John E.
Subject: RE: [Ethereal-users] Find Frame / Filtering


Martin,

Thanks for the reply

I've tried on this on both 0.95 and 0.9.6 WIN32 with the same results.

As I don't know the offset in the payload hex data stream I cannot use
the workaround.  I search for file names, values being read from a
database file and database error codes.  The application I support, as a
customer support person not a programmer, does not do the best job of
interpreting error codes so I use network traces to determine the actual
cause of failures.

Thanks again,
John



		-----Original Message-----
		From:	Visser, Martin (Sydney)
[mailto:Martin.Visser@xxxxxx]
		Sent:	Monday, August 26, 2002 6:21 PM
		To:	ethereal-users@xxxxxxxxxxxx
		Cc:	Evers, John E.
		Subject:	RE: [Ethereal-users] Find Frame /
Filtering

		You're right, there is something broken (at least in
0.9.3
on win32).
		However there is a workaround that may work for you. 
		For the bug fixers the following two examples DO match
packets correctly
		:-

		ipx[0:2] == "ff:ff"
		ipx[0:8] == "ff:ff:00:72:03:11:0a:8f"
		ipx[0] == "ff" && ipx [1] == "ff"

		But the following DON'T match

		ipx[0:] == "ff:ff"
		ipx[0:1] == "ff:ff"
		ipx[0:42] == "ff:ff"


		It seems that an open ended range or a range that
doesn't exactly match
		the number of bytes in the match string doesn't work.

		-----Original Message-----
		From: Evers, John E. [mailto:JEVERS@xxxxxxx] 
		Sent: Tuesday, 27 August 2002 7:44 AM
		To: ethereal-users@xxxxxxxxxxxx
		Subject: [Ethereal-users] Find Frame / Filtering


		Hi,

		I do a lot of tracing which requires searching /
filtering
on the data
		stream.

		I have tried the "Find Frame" and "Filtering" options
with the following
		parameters.  

		smb[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex
data stream
		from
		the hex data of a trace.
		ip[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex
data
stream from
		the
		hex data of a trace.
		tcp[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex
data stream
		from
		the hex data of a trace.
		data[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the
hex
data stream
		from
		the hex data of a trace.

		I've have also tried to search for hex streams that were
not separated
		by the 00 hex characters as in the above example, same
results.


		Applying as a Filter displays no results and Find Frame
responds with a
		"No Packet Matched Filter" message.  

		I am guessing Ethereal dose not support this, but as it
is important to
		me I want to make sure before I abandon it for this
application.

		Thanks for any feed back.

		John


	
************************************************************************
		**** 
		This email may contain confidential material. 
		If you were not an intended recipient, 
		Please notify the sender and delete all copies. 
		We may monitor email to and from our network. 
	
************************************************************************
		****
		_______________________________________________
		Ethereal-users mailing list
		Ethereal-users@xxxxxxxxxxxx
		http://www.ethereal.com/mailman/listinfo/ethereal-users

************************************************************************
**** 
This email may contain confidential material. 
If you were not an intended recipient, 
Please notify the sender and delete all copies. 
We may monitor email to and from our network. 
************************************************************************
****

Prev by Date: RE: [Ethereal-users] configure: error: Header file net/bpf.h not found... But it is in stalled.
Next by Date: RE: [Ethereal-users] Error making 0.9.6 on Solaris 2.6
Previous by thread: RE: [Ethereal-users] Find Frame / Filtering
Next by thread: [Ethereal-users] help
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$