Sake Blok wrote:
> On Thu, Feb 21, 2008 at 10:01:48PM -0700, Stephen Fisher wrote:
...
>> This is not currently possible because there is no field that contains
>> the contents of the entire frame.
Actually, there is - "frame".
> Well, if the capture file consists of only ethernet frames, then
> you can use the following filters:
>
> eth contains "blablabla" (string)
> eth contains 00403f (hex)
>
> Those filters will match any packet that contains the string
> "blablabla" (or the byte sequence 00 40 3f) anywhere in the packet.
And
frame contains "blablabla"
or
frame contains 00:40:3f
(rather than 00403f, if you're searching for a byte with the value hex
00, followed by a byte with the value hex 40, followed by a byte with
the value hex 3f) will match regardless of whether the frames are
Ethernet frames or not.
Note, however, that matches a link-layer frame, so if you're looking
for, for example, an HTTP request or reply containing the string
"foobar", that won't match an HTTP request in which one TCP segment ends
with "foo" and the next TCP segment begins with "bar". In that case,
you'd need to search for
http contains "method"
which *will*, as far as I know, match that.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
