On Wed, Mar 26, 2003 at 04:25:10PM -0500, Ian Schorr wrote:
> Is it possible for me to build a filter/search on a particular string
> that may occur anywhere inside the packet view or tree view?
http://www.ethereal.com/faq.html#q5.29
> Also, along exact opposite lines, is there a way to define a filter that
> looks for an ASCII string or hex pattern at a particular offset, perhaps
> relative to the beginning of a record, or particular protocol header?
Yes:
http://www.ethereal.com/ethereal.1.html
"You can use the slice operator on a protocol name, too. And remember,
the ``frame'' protocol encompasses the entire packet, allowing you to
look at the nth byte of a packet regardless of its frame type (Ethernet,
token-ring, etc.).
token[0:5] ne 0.0.0.1.1
ipx[0:2] == ff:ff
llc[3:1] eq 0xaa
The following syntax governs slices:
[i:j] i = start_offset, j = length
[i-j] i = start_offet, j = end_offset, inclusive.
[i] i = start_offset, length = 1
[:j] start_offset = 0, length = j
[i:] start_offset = i, end_offset = end_of_field
Offsets and lengths can be negative, in which case they indicate the
offset from the end of the field. Here's how to check the last 4 bytes
of a frame:
frame[-4:4] == 0.1.2.3
or
frame[-4:] == 0.1.2.3
You can create complex concatenations of slices using the comma
operator:
field[1,3-5,9:] == 01:03:04:05:09:0a:0b
"
You can't compare against an ASCII string, though - you have to use a
hex string (so you need to have an ASCII-to-hex translation table
handy).