This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I search for packets containing 4 digits plus ;

0

How in Wireshark do I find TCP packets containing in their data a string consisting of 4 digits plus a semicolon? I have tried matches with strings \d\d\d\d; and [0-9]{4}; and various others but it rejects them all as not a valid byte string.

Thanks - Rowan

asked 23 Nov '12, 09:53

Rowan's gravatar image

Rowan
1333
accept rate: 0%


One Answer:

1

this works for me with Wireshark 1.8.3 (Win XP)

Match a 4 digit ASCII string

tcp matches "[0-9]{4};"

Match a time string, like 09:05:15

tcp matches "[0-9]{2}:[0-9]{2}:[0-9]{2}"

However, this will only match ASCII in the TCP payload. Do you want to match ASCII values or binary digits?

Regards
Kurt

answered 23 Nov '12, 10:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 23 Nov '12, 10:26

You probably meant tcp.data.

(23 Nov '12, 10:41) helloworld

the match on tcp.data does not work. I have not yet checked why.

(23 Nov '12, 10:47) Kurt Knochner ♦

Hmm. It seems to work for me (as in, it properly filters packets in the list that match the pattern). I'm running Wireshark 1.8.1 in OSX.

(23 Nov '12, 10:57) helloworld

I tested with WinXP. Test with Ubuntu follows.

(23 Nov '12, 10:59) Kurt Knochner ♦

It also works for me in Wireshark 1.9.0 in Windows 7.

(23 Nov '12, 11:18) helloworld

Thank you. I'm sure I tried this before, but now I find that this works fine. It is the ASCII data that I'm trying to filter.

Rowan

(24 Nov '12, 15:29) Rowan

@Rowan

I converted your "answer" to a comment as that is how this site works, please read the FAQ for more info.

If an answer solves your issue please accept it by clicking the checkmark icon next to the answer as this helps other users of the site with a similar question. This is also in the FAQ.

(25 Nov '12, 02:29) grahamb ♦
showing 5 of 7 show 2 more comments