Hi, I have a network capture that contains DICOM data. My question is: Shouldn't I be able to use the filter: dicom contains "C-MOVE-RQ" to show only packets that have a DICOM header containing that string? I would think the answer is yes. Yet, I can not use that filter to show only those packets. Any thoughts out there on this? Thanks! asked 19 Apr '17, 11:00  cpigz |
One Answer:
The DICOM dissector doesn't provide a field for command values. A workaround can be to use the hex bytes of the C-MOVE-RQ command (0x0021) in the display filter. Please be aware of the endianness of the capture. So a If this lists too much packets prepending the hex bytes of the Unsigned Short can help. => answered 19 Apr '17, 11:44  Uli Thanks! That is an interesting approach. I never even thought of that. However, this also means that a hex combination of 21:00 will be matched when "Presentation Context Reply" is present. This means I will also see all association accepts. The filter: dicom.tag.value.str contains "MOVE" seems to work a little better (its just missing the C-MOVE-Data packets). (19 Apr '17, 12:07) cpigz |
One way I found that I could do something like what I'm looking for is to right-click on a DICOM packet -> protocol preferences -> Create subtrees for DICOM tags.
This enables me to use a display filter like: dicom.tag.value.str contains "MOVE"
Now I can see only packets related to a C-MOVE-RQ and the C-MOVE-RSP but this does not include the C-MOVE-DATA packets. So, this is closer to what I'm looking to do but still not perfect.