Wireshark · Wireshark-users: Re: [Wireshark-users] Counting packets with a matching payload

Wireshark-users: Re: [Wireshark-users] Counting packets with a matching payload

From: Sake Blok <sake@xxxxxxxxxx>

Date: Wed, 6 Feb 2008 20:15:57 +0100

On Wed, Feb 06, 2008 at 06:42:10PM -0000, Scott Sheppard wrote:
> 
> I have a data set with 50,000 packets in it. Many of them have a TCP/IP
> packet with a payload that follows a pattern. The pattern is a 1024 byte
> payload with 55 aa 55 aa etc hex in it. I want to filter this data set and
> count how many packets have this pattern it is. 
> 
> Any thoughts?

You could use a display filter to select the frames and then use
statistics (or the status bar) to count the amount of filtered
frames.

To build a displayfilter matching these packets, make sure the protocol
that contains these 55aa55aa paterns is disabled (Analyze -> Enabled Protocols).
This way, tcp will hand of dissection to the data dissector.

Double-click on "data (xxx bytes)" in the packet details pane. Then 
rightclick on "Data: 55aa55aa55aa55..." and select "Apply as Filter -> Selected".

That should do the trick :-)

Cheers,
    Sake

References:
- [Wireshark-users] Counting packets with a matching payload
  - From: Scott Sheppard

Prev by Date: Re: [Wireshark-users] Capture Filter Help
Next by Date: Re: [Wireshark-users] Capture Filter Help
Previous by thread: [Wireshark-users] Counting packets with a matching payload
Next by thread: [Wireshark-users] Capture Filter Help
Index(es):
- Date
- Thread