How to create a wireshark display filter with wildcard?
Solution 1
To use wildcard, you may use . (dot).
Both the searches below will give same result,
data.data ~ "Hello World"
data.data ~ He..o.Wor.d
In your case 01:02:(anything):04:05, if we do not know length of (anything) this may not work.
Solution 2
You can use the matches operator. This allows you to define regular expression matches. Consider this:
eth.dst matches "\xff.*\xff"
This will look for ethernet destination addresses that have a 0xFF followed by something (or nothing) and another 0xFF within it. So for your case, you could do:
eth.addr matches "\x01\x02.*\x04\x05"
This will look for those byte sequences in either the source or destination MACs. You could refine it more by using a byte count if you wanted to.
Related videos on Youtube
02 : 35
06 : 50
09 : 02
16 : 03
08 : 32
Arthur Cheuk
Updated on June 04, 2022Comments
-
Arthur Cheuk almost 2 years
Suppose I have a pattern like
01:02:(anything):04:05How can I construct a display filter in wireshark to filter it out?
Must I do this?
data[0:2]==01:02 and data[3:2]==04:05 -
Christopher Maynard about 6 yearsUnfortunately, thematchesoperator doesn't work for the genericdatathough. The wireshark-filter man page states that, "[it is] only implemented for protocols and for protocol fields with a text string representation." Keep in mind that the data is the undissected remaining data in a packet, and not the beginning of the Ethernet frame. Ref: wireshark.org/docs/man-pages/wireshark-filter.html -
David Hoelzer about 6 yearsTrue. Based on how the question was written I jumped to the conclusion that he was looking at ethernet addresses.