Wireshark-users: Re: [Wireshark-users] packet payload string or hex filter

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 22 Feb 2008 01:49:29 -0800
Sake Blok wrote:
On Thu, Feb 21, 2008 at 10:01:48PM -0700, Stephen Fisher wrote:

	...

This is not currently possible because there is no field that contains the contents of the entire frame.

Actually, there is - "frame".

Well, if the capture file consists of only ethernet frames, then
you can use the following filters:

eth contains "blablabla" (string)
eth contains 00403f (hex)

Those filters will match any packet that contains the string "blablabla" (or the byte sequence 00 40 3f) anywhere in the packet.

And

	frame contains "blablabla"

or

	frame contains 00:40:3f

(rather than 00403f, if you're searching for a byte with the value hex 00, followed by a byte with the value hex 40, followed by a byte with the value hex 3f) will match regardless of whether the frames are Ethernet frames or not.

Note, however, that matches a link-layer frame, so if you're looking for, for example, an HTTP request or reply containing the string "foobar", that won't match an HTTP request in which one TCP segment ends with "foo" and the next TCP segment begins with "bar". In that case, you'd need to search for

	http contains "method"

which *will*, as far as I know, match that.