Filtering odd-length binary data

retag add tags

Hi!

Im struggling with extracting information from Wireshark. I need to be able to differentiate between correctly formatted tcp packet data, and incorrectly (odd-length) data that an application is receiving. For example, correctly formatted data from app logs looks like this:

2021-07-26T17:21:08+0100 [,client] Working with header 0000005f00000077000000000001fdb9ffffffff
2021-07-26T17:21:08+0100 [,client] Working with packet 0000005f00000077000000000001fdb9ffffffff2001393039313930393034350000000000000000000000393031000000000000
0000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] Working with body 20013930393139303930343500000000000000000000003930310000000000000000000000000000000000002a3930312a36363600
000000000000000000000000002a3930312a36363623

Incorrectly formatted data looks like this (also from the logs):

2021-07-26T17:21:08+0100 [,client] Working with header 0000005f00000077000000000001ba0fffffffff
2021-07-26T17:21:08+0100 [,client] Working with packet 0000005f00000077000000000001ba0fffffffff2001383137303038323034300000000000000000000000393031000000000000
0000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] Working with body 20013831373030383230343000000000000000000000003930310000000000000000000000000000000000002a3930312a36363600
000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] 'Error parsing packet (Odd-length string): 0000005f00000077000000000001ba0fffffffff20013831373030383230343000000000000000000000003930310000000000000000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623'

How can I filter out and present the packets that contain the odd length strings, from the tcp data?

With hindsight, I guess I am asking how do I write a display filter to capture binary data that looks contains this: 2a3930312a363636000 ?

Thanks, I hope I am clear!

sinaowolabi

asked 2021-07-26 17:20:51 +0000, updated 2021-07-26 17:48:19 +0000

edit flag offensive 0 remove flag close merge delete

Comments

What is it about the data that determines it's an "odd-length"? To TCP it's just data.

grahamb (2021-07-26 17:47:38 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

Unfortunately the hex string you have posted isn't a valid set of bytes as it's one character short (or too long). To filter tcp packets that contains arbitrary hex bytes use the filter contains followed by the bytes with : separators, e.g.

tcp contains 2a:39:30:31:2a:36:36:36:00

23.8k

grahamb

answered 2021-07-26 17:59:09 +0000

edit flag offensive 0 remove flag delete link

Comments

Wow, that's exactly what I am trying to show (and what the application is rejecting as odd-length packet). Please how did you find out it was short or too long?

sinaowolabi (2021-07-26 18:03:18 +0000) edit

When I inserted the colon separators, I had a single 0 left over. I'm talking about the substring you mentioned 2a3930312a363636000.

grahamb (2021-07-26 18:17:45 +0000) edit

Also note that the hex-string 2a:39:30:31:2a:36:36:36 is equal to the ASCII-string *901*666. So if the test for the trailing null-byte is not necessary this filter is also possible:

tcp contains "*901*666"

André (2021-07-26 18:50:13 +0000) edit

Oh right thanks a lot

sinaowolabi (2021-07-26 20:15:31 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Filtering odd-length binary data edit

Comments

1 Answer

Comments