Ethereal-users: RE: [Ethereal-users] Find Frame / Filtering
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Evers, John E." <JEVERS@xxxxxxx>
Date: Tue, 27 Aug 2002 11:43:09 -0500
Martin,
I am still having issues finding anything in the hex data payload field, I
have tried the following to find "This" at offset C4 file data, highlighted
in yellow. I really need to find values in the file data without knowing
the offset in the file data field, but in some cases I also look for
something I know the offset of. One other solution is to print out the data
to a file and use some other program for the search, but try opening a 500MN
with MS word pad or note pad.
Filter and Find Frame ( I also enclosed the hex values in "" to see if that
was the secret)
smb [c4:c7] == 54:68:69:73
tcp [c4:c7] == 54:68:69:73
ip [c4:c7] == 54:68:69:73
data [c4:c7] == 54:68:69:73
Frame 12 (1514 on wire, 1514 captured)
Arrival Time: Aug 26, 2002 16:21:09.215750000
Time delta from previous packet: 0.001852000 seconds
Time relative to first packet: 0.476325000 seconds
Frame Number: 12
Packet Length: 1514 bytes
Capture Length: 1514 bytes
Ethernet II
Destination: 00:c0:4f:9b:a0:ba (TASKSERVER10)
Source: 00:90:27:78:ad:ff (Intel_78:ad:ff)
Type: IP (0x0800)
Internet Protocol, Src Addr: dell6300_sql2.lab.ncs.winternet.com
(192.168.100.114), Dst Addr: TASKSERVER10 (192.168.100.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1500
Identification: 0xd04c
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdb01 (correct)
Source: dell6300_sql2.lab.ncs.winternet.com (192.168.100.114)
Destination: TASKSERVER10 (192.168.100.10)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1960
(1960), Seq: 177780446, Ack: 1629002547, Len: 1460
Source port: microsoft-ds (445)
Destination port: 1960 (1960)
Sequence number: 177780446
Next sequence number: 177781906
Acknowledgement number: 1629002547
Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16805
Checksum: 0xdb4c (correct)
NetBIOS Session Service
Message Type: Session message
Length: 4156
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response to: 11
SMB Command: Read AndX (0x2e)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x98
1... .... = Request/Response: Message is a response to the
client/redirector
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been
posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xe807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error
codes
..1. .... .... .... = Execute-only Reads: Permit reads if
execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended
security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are
not long file names
.... .... .... .1.. = Security Signatures: Security signatures
are supported
.... .... .... ..1. = Extended Attributes: Extended attributes
are supported
.... .... .... ...1 = Long Names Allowed: Long file names are
allowed in the response
Reserved: 000000000000000000000000
Tree ID: 2049
Process ID: 65279
User ID: 2049
Multiplex ID: 59267
Read AndX Response (0x2e)
Word Count (WCT): 12
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
FID: 0xc02a
Remaining: 65535
Data Compaction Mode: 0
Reserved: 0000
Data Length: 4096
Data Offset: 60
Reserved: 00000000000000000000
Byte Count (BCC): 4097
Padding: 01
File Data: Incomplete. Only 1396 of 4096 bytes
0000 00 c0 4f 9b a0 ba 00 90 27 78 ad ff 08 00 45 00 ..O.....'x....E.
0010 05 dc d0 4c 40 00 80 06 db 01 c0 a8 64 72 c0 a8 ...L@xxxxxxxxx..
0020 64 0a 01 bd 07 a8 0a 98 b6 de 61 18 9b 33 50 10 d.........a..3P.
0030 41 a5 db 4c 00 00 00 00 10 3c ff 53 4d 42 2e 00 A..L.....<.SMB..
0040 00 00 00 98 07 e8 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 01 08 ff fe 01 08 83 e7 0c ff 00 00 00 ff ................
0060 ff 00 00 00 00 00 10 3c 00 00 00 00 00 00 00 00 .......<........
0070 00 00 00 01 10 01 4d 5a 90 00 03 00 00 00 04 00 ......MZ........
0080 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 ..............@.
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 ..............!.
00c0 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d .L.!This program
00d0 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 cannot be run i
00e0 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 n DOS mode....$.
00f0 00 00 00 00 00 00 72 0e bb b5 36 6f d5 e6 36 6f ......r...6o..6o
0100 d5 e6 36 6f d5 e6 68 4d de e6 35 6f d5 e6 4d 73 ..6o..hM..5o..Ms
0110 d9 e6 3a 6f d5 e6 b5 73 db e6 18 6f d5 e6 59 70 ..:o...s...o..Yp
0120 df e6 bf 6f d5 e6 59 70 de e6 3c 6f d5 e6 36 6f ...o..Yp..<o..6o
0130 d5 e6 24 6f d5 e6 60 70 c6 e6 3a 6f d5 e6 36 6f ..$o..`p..:o..6o
0140 d4 e6 b8 6e d5 e6 54 70 c6 e6 23 6f d5 e6 30 4c ...n..Tp..#o..0L
0150 de e6 3f 6f d5 e6 30 4c df e6 2a 6e d5 e6 f1 69 ..?o..0L..*n...i
0160 d3 e6 37 6f d5 e6 52 69 63 68 36 6f d5 e6 00 00 ..7o..Rich6o....
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 33 c3 ......PE..L...3.
0190 f7 3c 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 .<..............
01a0 06 00 00 90 3f 00 00 b0 30 00 00 00 00 00 46 b0 ....?...0.....F.
01b0 3e 00 00 10 00 00 00 a0 3f 00 00 00 40 00 00 10 >.......?...@...
01c0 00 00 00 10 00 00 04 00 00 00 04 00 00 00 04 00 ................
01d0 00 00 00 00 00 00 00 50 70 00 00 10 00 00 00 00 .......Pp.......
01e0 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 ................
01f0 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 ................
0200 00 00 00 00 00 00 00 c0 42 00 04 01 00 00 00 00 ........B.......
0210 43 00 13 dc 2b 00 00 00 00 00 00 00 00 00 00 00 C...+...........
0220 00 00 00 00 00 00 00 e0 6e 00 14 21 01 00 00 00 ........n..!....
0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cb ................
0260 42 00 e8 09 00 00 00 00 00 00 00 00 00 00 00 00 B...............
0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 ...............t
0280 65 78 74 00 00 00 82 82 3f 00 00 10 00 00 00 90 ext.....?.......
0290 3f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 ?...............
02a0 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e8 20 .. ..`.rdata...
02b0 00 00 00 a0 3f 00 00 30 00 00 00 a0 3f 00 00 00 ....?..0....?...
02c0 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 ..........@[email protected]
02d0 61 74 61 00 00 00 f0 e7 02 00 00 d0 3f 00 00 40 ata.........?..@
02e0 02 00 00 d0 3f 00 00 00 00 00 00 00 00 00 00 00 ....?...........
02f0 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ad 32 [email protected]
0300 00 00 00 c0 42 00 00 40 00 00 00 10 42 00 00 00 [email protected]...
0310 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 [email protected]
0320 73 72 63 00 00 00 13 dc 2b 00 00 00 43 00 00 e0 src.....+...C...
0330 2b 00 00 50 42 00 00 00 00 00 00 00 00 00 00 00 +..PB...........
0340 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 6b ..@[email protected]
0350 01 00 00 e0 6e 00 00 70 01 00 00 30 6e 00 00 00 ....n..p...0n...
0360 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 [email protected]..
0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05e0 00 00 00 00 00 00 00 00 00 00 ..........
Thanks
John
-----Original Message-----
From: Visser, Martin (Sydney)
[mailto:Martin.Visser@xxxxxx]
Sent: Monday, August 26, 2002 6:21 PM
To: ethereal-users@xxxxxxxxxxxx
Cc: Evers, John E.
Subject: RE: [Ethereal-users] Find Frame / Filtering
You're right, there is something broken (at least in 0.9.3
on win32).
However there is a workaround that may work for you.
For the bug fixers the following two examples DO match
packets correctly
:-
ipx[0:2] == "ff:ff"
ipx[0:8] == "ff:ff:00:72:03:11:0a:8f"
ipx[0] == "ff" && ipx [1] == "ff"
But the following DON'T match
ipx[0:] == "ff:ff"
ipx[0:1] == "ff:ff"
ipx[0:42] == "ff:ff"
It seems that an open ended range or a range that doesn't
exactly match
the number of bytes in the match string doesn't work.
-----Original Message-----
From: Evers, John E. [mailto:JEVERS@xxxxxxx]
Sent: Tuesday, 27 August 2002 7:44 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Find Frame / Filtering
Hi,
I do a lot of tracing which requires searching / filtering
on the data
stream.
I have tried the "Find Frame" and "Filtering" options with
the following
parameters.
smb[0:] == 43:00:6f:00:6d:00:6d:00: ;I copied the hex
data stream
from
the hex data of a trace.
ip[0:] == 43:00:6f:00:6d:00:6d:00: ;I copied the hex data
stream from
the
hex data of a trace.
tcp[0:] == 43:00:6f:00:6d:00:6d:00: ;I copied the hex
data stream
from
the hex data of a trace.
data[0:] == 43:00:6f:00:6d:00:6d:00: ;I copied the hex
data stream
from
the hex data of a trace.
I've have also tried to search for hex streams that were not
separated
by the 00 hex characters as in the above example, same
results.
Applying as a Filter displays no results and Find Frame
responds with a
"No Packet Matched Filter" message.
I am guessing Ethereal dose not support this, but as it is
important to
me I want to make sure before I abandon it for this
application.
Thanks for any feed back.
John
************************************************************************
****
This email may contain confidential material.
If you were not an intended recipient,
Please notify the sender and delete all copies.
We may monitor email to and from our network.
************************************************************************
****
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
****************************************************************************
This email may contain confidential material.
If you were not an intended recipient,
Please notify the sender and delete all copies.
We may monitor email to and from our network.
****************************************************************************
- Prev by Date: Re: [Ethereal-users] help
- Next by Date: Re: [Ethereal-users] Error making 0.9.6 on Solaris 2.6
- Previous by thread: RE: [Ethereal-users] Find Frame / Filtering
- Next by thread: RE: [Ethereal-users] Find Frame / Filtering
- Index(es):