Wireshark-users: Re: [Wireshark-users] packet payload string or hex filter

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 22 Feb 2008 07:27:06 +0100
On Thu, Feb 21, 2008 at 10:01:48PM -0700, Stephen Fisher wrote:
> On Fri, Feb 22, 2008 at 03:38:23AM +0100, Grzegorz Szczytowski wrote:
> 
> > I'm wondering if wireshark support string or hex filier similar to 
> > following syntax:
> > 
> > data.data include or content "blablabla"
> > 
> > The issue is that the filter should goes over the whole packet to 
> > match that string.
> 
> This is not currently possible because there is no field that contains 
> the contents of the entire frame.  Maybe we should add one under the 
> frame dissector?  This leaves you with the find packet search that 
> allows hex values or strings.

Well, if the capture file consists of only ethernet frames, then
you can use the following filters:

eth contains "blablabla" (string)
eth contains 00403f (hex)

Those filters will match any packet that contains the string 
"blablabla" (or the byte sequence 00 40 3f) anywhere in the packet.

Hope this helps,
Cheers,
    Sake