frame contains "\x03\x00\x0e\xa8" display filter in wireshark displays packets not containing these bytes

mezda picture mezda · Sep 20, 2012 · Viewed 9.1k times · Source

i used the following filter in wireshark to find the packets containing these bytes :

frame contains "\x03\x00\x0e\xa8"

but when i see the result of this filter, it displays more than 1k packets which don't even contain these bytes. For example, it even displays the following ethernet packet :

00219ba0610678e7d1c625f40800450000282a0340008006cd88c0a87801d43af65f059e00503bac54cf9f17722a5010ffff04e50000

Nowhere these bytes are contained in this packet. Similarly there are several other packets which are displayed while actually there are only two packets containing these bytes which are displayed as well. Can anyone let me know what is the issue here ? any help will be highly appreicated. thanks

Answer

willyo picture willyo · Sep 20, 2012

A quick test indicates that:

"\x03\x00\x0e\xa8" is treated as a search for a string with the \x00 terminating the search string. That is: the string actually being searched for is "\x03".

The following will work:

frame contains 03:00:0e:a8

See: Display Filters, Wireshark User's Guide, and ask.wireshark.org

Although not explicitly stated, "..." specifies a NULL-terminated search string in the usual C string constant fashion.