Wireshark-users: [Wireshark-users] Searching for a particular sequence in a packet
From: Hussain <conundrums@xxxxxxxxx>
Date: Fri, 25 Sep 2009 12:06:44 +0600
Dear All,

I need to look/search for a particular sequences in the traffic that I am capturing using wireshark. That is I want to search for all packets with with certain strings and that to in a certain order;  For example first the string "RTSP", followed by the string ".rm" followed by /r/n (x0d x0a in HEX).

To do that, I created the following filter
tcp matches "(?s)(RTSP.*.rm.*\x0d\x0a)"

However, it seems that the search would find 'rm' only and not '.rm'. I even tried  using the following filter
tcp matches "(?s)(RTSP.*\.rm.*\x0d\x0a)"

but it did not work. Eventually I ended up using the following filter,
tcp matches "(?s)(RTSP.*.rm.*\x0d\x0a)" and tcp contains ".rm"

But I do not think that this gives me what I really want. :(

Also I was just wondering it was possible to search with offsets. For example, I want to search for packets where the first byte is let's say \xe3 (HEX), and then after four bytes, I get the string \x45 (HEX value). I.e. one such possible sequence could be, e3 09 08 ff f3 45.

I have searched to see if this has been covered before, but could not find it, and do apologize in advance if these questions have already been answered, and if that is the case I would appreciate it if someone could guide me to those answers.

Thank you.


P.S. Given below is the information about the Wireshark version I am using, and my operating system
Wireshark Version 1.2.1 (SVN Rev 29141)
Running on Windows Vista Service Pack 1, build 6001, with WinPcap version 4.1, beta5 (packet.dll version, based on libpcap version 1.0.0, GnuTLS
2.8.1, Gcrypt 1.4.4, without AirPcap.