Search for unicode string (UTF-16) in PCap file captured by WireShark

Question

I try to search for string in Pcap file captured by Wireshark tool. All string from/to sql server is formatted as Unicode String (UTF-16).

When the frame contains a Unicode string like "select", it is displayed as "s e l e c t", the space between characters is the null character \x00.

In case of using the following display filter:

  frame contains "s e l e c t"

frames are not filtered.

so, I have to convert the string "select" to hex decimal manually, and run the display filter:

  frame contains 73:00:65:00:6c:00:65:00:63:00:74:00

and it's working.

Also, I tried to use the find tool (in the tool bar) and picked Wide (UTF-16) and entered "s e l e c t", but it couldn't find the string.

I use WireShark v 2.2.0 sample of data

• Is there a simple way to filter for Unicode string direct instead of converting string to hex string.
• What I should enter in the find tool when picking the textbox Wide (UTF-16) to search for the ASCII string e.g. "select" but as a Unicode string

Answer 1

Q.Is there a simple way to filter for Unicode string direct instead of converting string to hex string

The "matches" operator, allows a filter to apply to a Perl-compatible regular expression (PCRE).

For the word "select", the display filter will be:

  frame matches "s.e.l.e.c.t"

The dot here represent any character, in our case it's \x00 character

for case-insensitive like Select , SELECT :

   frame matches "(?i)s.e.l.e.c.t"

(?i) performs a case-insensitive pattern match.

Q. What I should enter in the find tool when picking the textbox Wide (UTF-16) to search for the ASCII string e.g. "select" but as a Unicode string

Click the "find tool" from the tool bar, in dropdown list select the following:

Pick "Packet bytes" => pick "Narrow & Wide" => pick "String"

Enter the word to search for e.g. "select" in the textbox.

If the word exist, you find the frame data in "Pack Bytes" area