Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: RE: [Ethereal-users] Find Frame / Filtering

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Visser, Martin (Sydney)" <Martin.Visser@xxxxxx>
Date: Tue, 27 Aug 2002 09:21:24 +1000
You're right, there is something broken (at least in 0.9.3 on win32).
However there is a workaround that may work for you. 
For the bug fixers the following two examples DO match packets correctly
:-

ipx[0:2] == "ff:ff"
ipx[0:8] == "ff:ff:00:72:03:11:0a:8f"
ipx[0] == "ff" && ipx [1] == "ff"

But the following DON'T match

ipx[0:] == "ff:ff"
ipx[0:1] == "ff:ff"
ipx[0:42] == "ff:ff"


It seems that an open ended range or a range that doesn't exactly match
the number of bytes in the match string doesn't work.

-----Original Message-----
From: Evers, John E. [mailto:JEVERS@xxxxxxx] 
Sent: Tuesday, 27 August 2002 7:44 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Find Frame / Filtering


Hi,

I do a lot of tracing which requires searching / filtering on the data
stream.

I have tried the "Find Frame" and "Filtering" options with the following
parameters.  

smb[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex data stream
from
the hex data of a trace.
ip[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex data stream from
the
hex data of a trace.
tcp[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex data stream
from
the hex data of a trace.
data[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex data stream
from
the hex data of a trace.

I've have also tried to search for hex streams that were not separated
by the 00 hex characters as in the above example, same results.


Applying as a Filter displays no results and Find Frame responds with a
"No Packet Matched Filter" message.  

I am guessing Ethereal dose not support this, but as it is important to
me I want to make sure before I abandon it for this application.

Thanks for any feed back.

John


************************************************************************
**** 
This email may contain confidential material. 
If you were not an intended recipient, 
Please notify the sender and delete all copies. 
We may monitor email to and from our network. 
************************************************************************
****
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube