Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

frame contains "\x03\x00\x0e\xa8" display filter in wireshark displays packets not containing these bytes

Tags:

network-programming

wireshark

packet-capture

tcpdump

wireshark-dissector

i used the following filter in wireshark to find the packets containing these bytes :

frame contains "\x03\x00\x0e\xa8"

but when i see the result of this filter, it displays more than 1k packets which don't even contain these bytes. For example, it even displays the following ethernet packet :

00219ba0610678e7d1c625f40800450000282a0340008006cd88c0a87801d43af65f059e00503bac54cf9f17722a5010ffff04e50000

Nowhere these bytes are contained in this packet. Similarly there are several other packets which are displayed while actually there are only two packets containing these bytes which are displayed as well. Can anyone let me know what is the issue here ? any help will be highly appreicated. thanks

like image 313
mezda Avatar asked Sep 20 '12 11:09

mezda

People also ask

Why are packets not displaying in Wireshark?

A problem you'll likely run into is that Wireshark may not display any packets after starting a capture using your existing 802.11 client card, especially if running in Windows. The issue is that many of the 802.11 cards don't support promiscuous mode.

What is frame contains on Wireshark?

The “frame contains” filter will let you pick out only those packets that contain a sequence of any ASCII or Hex value that you specify. The syntax is simple.

How do you filter frames in Wireshark?

To only display packets containing a particular protocol, type the protocol name in the display filter toolbar of the Wireshark window and press enter to apply the filter.

How do you find bytes in Wireshark?

Check the length of "IP->Total length" = ( ip header length + Tcp Header length+ application) . So the ip header says 519 ,So subtract 20 Bytes of ip header and 20 bytes of tcp header . The HTTP message length = 519 -20- 20 = 479 bytes.

1 Answers

A quick test indicates that:

"\x03\x00\x0e\xa8" is treated as a search for a string with the \x00 terminating the search string. That is: the string actually being searched for is "\x03".

The following will work:

frame contains 03:00:0e:a8

See: Display Filters, Wireshark User's Guide, and ask.wireshark.org

Although not explicitly stated, "..." specifies a NULL-terminated search string in the usual C string constant fashion.

like image 173
willyo Avatar answered Sep 17 '22 05:09

willyo
Sign in to Comment

Related questions

Need a hash function to create 32 bit value out of ipv6 16 Byte address and TCP 2 Byte port numbers
Bind an interface in java TCP connection
representation of MAC address in C code
What is the purpose of the AI_V4MAPPED flag in getaddrinfo?
OSI Layer 2 Network Programming
Does setting TCP_NODELAY affect the behaviour of both ends of the socket?
Is there a high-level inter-process communications API that is implemented in both C++ and Javascript
Trouble with Netty IdleStateHandler - am I testing it the wrong way?
What is management plane in SDN?
Managing Cisco programmatically; Telnet vs SNMP? [closed]
How are sockets implemented in JVM?
C# network programming and resource usage
Java Network / Socket programming tutorial [closed]
Performance of IPX/SPX and TCP/IP [closed]
What happens to TCP and UDP (with multicast) connection when an iOS Application did enter background
How to send a WOL package(or anything at all) through a nic which has no IP address?
How to reduce remote SQL Server loads?
InetAddress.getLocalHost().getHostAddress() returns 127.0.0.1 in Android
How to copy files to network path or drive using Python
Using C#, how to know whether a folder is located on a network or not

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!