Jen,
> Is there a way to have Ethereal filter on the presence of a
> string in data? For example, I'm looking for the string
> "websales" that may appear in http traffic (or in other traffic).
There is no way I know to do this in Ethereal.
> Tethereal -r file -V |less
I do something similar to this but I prefer to mung the output of tethereal
-x.
Only slightly tested code follows (ie it worked for me for the task I had)
# usage tethereal -x -r file.trc | perl BinEthSearch.pl
use strict;
my $search = qr/websales/i;
my $prev_pkt;
my $bin;
while(<>) {
# Is this a packet summary line?
if (/\d+(?:\.\d+){3} \-\> \d+(?:\.\d+){3}/) {
# First report any previous matches
print "Match for : $prev_pkt\n" if $bin=~ $search;
$prev_pkt=$_;
$bin="";
} elsif (/[0-9a-f]{4}\s+(?:[0-9a-f]{2} ){1,16}\s+([^\s]*)/) {
$bin.=$1;
}
}
Starting from here you could produce a filter string:
"frame.number == 10 or frame.number == 22 or (etc)"
HTH
Alistair
-----------------------------------------------------------------------
Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.
Telephone (020) 7935 4422
Facsimile (020) 7487 2670
www.marksandspencer.com
Please note that electronic mail may be monitored.
This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.
The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.