Wireshark
the world's foremost network protocol analyzer
Wireshark-users: Re: [Wireshark-users] Counting packets with a matching payload
From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 6 Feb 2008 20:15:57 +0100
On Wed, Feb 06, 2008 at 06:42:10PM -0000, Scott Sheppard wrote:
>
> I have a data set with 50,000 packets in it. Many of them have a TCP/IP
> packet with a payload that follows a pattern. The pattern is a 1024 byte
> payload with 55 aa 55 aa etc hex in it. I want to filter this data set and
> count how many packets have this pattern it is.
>
> Any thoughts?
You could use a display filter to select the frames and then use
statistics (or the status bar) to count the amount of filtered
frames.
To build a displayfilter matching these packets, make sure the protocol
that contains these 55aa55aa paterns is disabled (Analyze -> Enabled Protocols).
This way, tcp will hand of dissection to the data dissector.
Double-click on "data (xxx bytes)" in the packet details pane. Then
rightclick on "Data: 55aa55aa55aa55..." and select "Apply as Filter -> Selected".
That should do the trick :-)
Cheers,
Sake
- References:
- [Wireshark-users] Counting packets with a matching payload
- From: Scott Sheppard
- [Wireshark-users] Counting packets with a matching payload
- Prev by Date: Re: [Wireshark-users] Capture Filter Help
- Next by Date: Re: [Wireshark-users] Capture Filter Help
- Previous by thread: [Wireshark-users] Counting packets with a matching payload
- Next by thread: [Wireshark-users] Capture Filter Help
- Index(es):