On Wed, Feb 19, 2003 at 10:57:15AM -0800, Jen Wu wrote:
> Is there a way to have Ethereal filter on the presence of a string in data?
Unfortunately, no. There is a wish list item for this:
http://www.ethereal.com/development.html#wishlist
"Add a display filter "match string" operator, which is similar to the
"==" operator, but operates only on strings and byte arrays, and matches
if the string in question appears anywhere in the item being tested.
This would allow users to search for packets that contain a string
anywhere in the packet (frame[0:] =~ "hi, there"), and anywhere in or
after any particular protocol's header. A regular-expression match
might also be useful."
Note that the implementation of the operator should probably *NOT* use a
naive string match, trying to see if it matches at the first byte of the
packet and, if not, trying to see if it matches at the second byte of
the packet and, if not, .... Something such as Boyer-Moore:
http://www-igm.univ-mlv.fr/~lecroq/string/node14.html
would probably be better.
Note also that "=~" isn't necessarily the right operator for a
non-regular-expression string match, as that's the Perl pattern-match
operator, and thus might thus be better for a regular-expression match
(especially if Perl regular expressions are used). I don't know what
the right non-regular-expression string match operator would be.