Wireshark · Wireshark-users: Re: [Wireshark-users] Display filter based on offset, hex

Wireshark-users: Re: [Wireshark-users] Display filter based on offset, hex

From: Jake Peavy <djstunks@xxxxxxxxx>

Date: Thu, 16 Jul 2009 17:55:38 -0400

On Thu, Jul 9, 2009 at 2:01 AM, Abhik Sarkar <sarkar.abhik@xxxxxxxxx> wrote:

On Wed, Jul 8, 2009 at 7:44 PM, Hague, Raymond [IDR] <ray.hague@xxxxxxxx> wrote:

I am attempting to create a display filter but some how keep missing the mark. I would like to create a filter that would read:

Beginning byte= 0038

Length= 4

Data="" 74:72:61:70

Something like this:
frame[0x38:4]==74:72:61:70

Is it possible to use this same approach in tshark with -T fields?

that is to say, something like:

tshark -r infile.cap -T fields -e frame[0x38:4]

I tried this and it didn't work, but hoping maybe my syntax needs adjusting.

--
-jp

If your friend is already dead, and being eaten by vultures, I think it's okay to feed some bits of your friend to one of the vultures, to teach him to do some tricks. But ONLY if you're serious about adopting the vulture.

deepthoughtsbyjackhandey.com

References:
- [Wireshark-users] Display filter based on offset, hex
  - From: Hague, Raymond [IDR]
- Re: [Wireshark-users] Display filter based on offset, hex
  - From: Abhik Sarkar

Prev by Date: [Wireshark-users] Help with simulcrypt
Next by Date: [Wireshark-users] getting data from tcpdump to tshark
Previous by thread: Re: [Wireshark-users] Display filter based on offset, hex
Next by thread: [Wireshark-users] wireshark won't execute on vista
Index(es):
- Date
- Thread