This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Find Behavior when searching for HEX sequence

0

I've just noticed the following while playing with a wireshark trace: http contains "\x89\x50\x4E\x47" finds the correct packet with png signature in the http content. On the contrary, a CTRL + F for Find, then selecting the HEX options and typing 89 50 4E 47 (no case sensitive), only finds a different packet with that hex sequence in the tcp segment data. Basically, it finds the sequence in a TCP packet but seems to ignore packets categorized as HTTP and the http content. By any chance, do you know if it's a bug or by design in wireshark?

Thank you

asked 06 Mar '15, 09:10

halfluke's gravatar image

halfluke
6112
accept rate: 0%

Did you verify that it does not highlight the TCP segment that contains a part of the HTTP payload that is later reassembled so as to be decoded by the HTTP dissector? If you could share the pcap file, it would allow to verify this hypothesis.

(06 Mar '15, 22:28) Pascal Quantin

sorry I've just seen your reply. I cannot find the trace where I experienced that behaviour. I have a new one now and the Find seems to be able to find both in "tcp" and "http" packets. I will try to reproduce as soon as I have some time But thank you!

(18 Mar '15, 10:39) halfluke