Nice! Exactly what I needed.
The colons were what I was missing and then I gave up on 'contains' and went further in the weeds after that!
Thanks,
Wes
--- On Wed, 10/5/11, Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx> wrote:
> From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Searching for Hex in a pcap file using tshark
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Date: Wednesday, October 5, 2011, 3:10 PM
> On Wed, Oct 05, 2011 at 12:00:47PM
> -0700, Wes wrote:
>
> > Is there an equivalently method of doing an
> Edit->Find Packet->Hex
> > value in Wireshark with command options in tshark?
>
> > I've tried multiple -R filters, but haven't hit on the
> right one
> > yet...
>
> Try -R "frame contains xx:xx" (each hex byte is represented
> by xx and
> you can have more if needed).
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>