Title?
Since I use Google to find out pretty much everything, I thought I should have a page of things I had to work out for myself because 'the internet' didn't seem to know. Now it will.
Thursday, 12 January 2012
Filtering based on any old byte(s) in Wireshark
Well this one is no doubt somewhere in Google, but knowing what to type in wasn't obvious for me at least. I wanted to filter some (well, over a million) captured packets in wireshark that had a protocol not in the list. I looked at... hmm nobody cares about this story do they. Short version is that you select the 'frame' protocol, which is actually a dummy protocol that gives you the whole frame. In the filter 'Expression' dialogue, choose 'frame' for protocol, but just select the top level item. Then select your operator, type the test bytes in the top right data-to-test-on box, then in the bottom right box labelled something like 'Range' enter the byte offset and number of bytes you are planning to filter on. in my case 209:1. More details at http://www.wireshark.org/docs/man-pages/wireshark-filter.html#the_slice_operator
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment