The frame contains "\ x03 \ x00 \ x0e \ xa8" the display filter in wirehark displays packets that do not contain these bytes

Question

The frame contains "\ x03 \ x00 \ x0e \ xa8" the display filter in wirehark displays packets that do not contain these bytes

I used the following filter in wirehark to find packets containing these bytes:

frame contains "\x03\x00\x0e\xa8"

but when I see the result of this filter, it displays over 1k packets that do not even contain these bytes. For example, it even displays the following ethernet packet:

 00219ba0610678e7d1c625f40800450000282a0340008006cd88c0a87801d43af65f059e00503bac54cf9f17722a5010ffff04e50000

Nowhere are these bytes contained in this packet. Similarly, there are several other packets that are displayed, while in fact there are only two packets containing these bytes, which are also displayed. Can someone tell me what the problem is? any help would be greatly appreciated. thanks

+4

network-programming wireshark packet-capture tcpdump wireshark-dissector

mezda 20 sept '12 at 11:37

source share

1 answer

willyo · Accepted Answer · 2012-09-20T21:16:11+0000

A quick test shows that:

"\x03\x00\x0e\xa8" considered as searching for a string with \x00 ending the search string. That is: the line on which the search is performed is located "\x03 ".

The following will work:

frame contains 03:00:0e:a8

See: Display Filters , Wireshark User Guide , and ask.wireshark.org

Although not explicitly stated, "..." indicates a null-terminated search string in the normal constant of string C.

The frame contains "\ x03 \ x00 \ x0e \ xa8" the display filter in wirehark displays packets that do not contain these bytes

More articles: