Dolphin
Reputation: 38621
How to filter package content in wireshark?
I am filtering package in Wireshark(version 2.0.3),the tcp package data is like this:
7e:02:00:00:3c:01:41:31:07:17:83:02:97:00:00:00:00:00:0c:00:c3:02:28:ba:50:06:f1:ec:c0:00:59:00:00:01:2e:16:06:30:10:46:00:01:04:00:00:e6:2f:02:02:00:00:03:02:00:00:25:04:00:00:00:00:2b:04:00:00:00:00:30:01:13:31:01:12:5e:7e
Now I want to find the third byte to four byte contains 00:00,how to write the filter expression? I have tried:
ip[3,2] == 00:00 #in tcpdump it works
data.data[3,2] == 00:00 #data.data == 00:00,but data not just only contain:00:00
Any solution?
Upvotes: 0
Views: 775
Answers (2)
Dolphin
Reputation: 38621
Using this filter:
data[3:2] == 00:00 # start from 22,get 2 byte equal to 00:00
Upvotes: 0
Jeff S.
Reputation: 461
The count starts from 0 so you are looking for 2 and 3 in your example.
You can specify and group slices (what you're doing in your example), or provide a range.
# Combines 2 slices
frame[2,3]==0000
# From byte position 2 include 2 bytes (e.g. 2 and 3)
frame[2:2]==0000
# Provides byte range 2 through 3
frame[2-3]==0000
The following syntax governs slices:
Source: https://www.wireshark.org/docs/man-pages/wireshark-filter.html
[i:j] i = start_offset, j = length
[i-j] i = start_offset, j = end_offset, inclusive.
[i] i = start_offset, length = 1
[:j] start_offset = 0, length = j
[i:] start_offset = i, end_offset = end_of_field
Upvotes: 1
Related Questions
- Multiple protocol filtering on Wireshark
- How to filter captured packages?
- filter the packets Wireshark with size
- How to use filters in the wireshark?
- Advanced filtering in wireshark
- How to filter TCP option with wireshark?
- How to use "Follow TCP stream" for specific packets in Wireshark?
- How to filter wireshark to display only packets between a server and a client?
- How to filter packet on wireshark
- Wireshark Info Filter Help