This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter on dicom header information containing C-MOVE…

0

Hi, I have a network capture that contains DICOM data.
In the Info column for a packet containing a DICOM header, I have the string:
P-DATA, C-MOVE-RQ ID=1

My question is: Shouldn't I be able to use the filter: dicom contains "C-MOVE-RQ" to show only packets that have a DICOM header containing that string? I would think the answer is yes. Yet, I can not use that filter to show only those packets. Any thoughts out there on this?

Thanks!

asked 19 Apr '17, 11:00

cpigz's gravatar image

cpigz
6113
accept rate: 0%

One way I found that I could do something like what I'm looking for is to right-click on a DICOM packet -> protocol preferences -> Create subtrees for DICOM tags.

This enables me to use a display filter like: dicom.tag.value.str contains "MOVE"

Now I can see only packets related to a C-MOVE-RQ and the C-MOVE-RSP but this does not include the C-MOVE-DATA packets. So, this is closer to what I'm looking to do but still not perfect.

(19 Apr '17, 11:51) cpigz

One Answer:

1

The DICOM dissector doesn't provide a field for command values.

A workaround can be to use the hex bytes of the C-MOVE-RQ command (0x0021) in the display filter. Please be aware of the endianness of the capture. So a dicom contains 21:00 should work.

If this lists too much packets prepending the hex bytes of the Unsigned Short can help.

=> dicom contains 02:00:00:00:21:00

answered 19 Apr '17, 11:44

Uli's gravatar image

Uli
9031515
accept rate: 29%

Thanks! That is an interesting approach. I never even thought of that. However, this also means that a hex combination of 21:00 will be matched when "Presentation Context Reply" is present. This means I will also see all association accepts.

The filter: dicom.tag.value.str contains "MOVE"

seems to work a little better (its just missing the C-MOVE-Data packets).

(19 Apr '17, 12:07) cpigz