如何过滤wireshark中的包内容？

Question

我在Wireshark(version 2.0.3)中过滤包，tcp包数据是这样的：

7e:02:00:00:3c:01:41:31:07:17:83:02:97:00:00:00:00:00:0c:00:c3:02:28:ba:50:06:f1:ec:c0:00:59:00:00:01:2e:16:06:30:10:46:00:01:04:00:00:e6:2f:02:02:00:00:03:02:00:00:25:04:00:00:00:00:2b:04:00:00:00:00:30:01:13:31:01:12:5e:7e

现在想找第三个字节到第四个字节包含00:00，过滤表达式怎么写？我试过：

ip[3,2] == 00:00     #in tcpdump it works

data.data[3,2] == 00:00    #data.data == 00:00,but data not just only contain:00:00

有什么解决办法吗？

Answer 1

使用这个过滤器：

data[3:2] == 00:00  # start from 22,get 2 byte equal to 00:00

Answer 2

计数从 0 开始，因此您在示例中查找的是 2 和 3。

您可以指定和分组切片（您在示例中所做的），或提供一个范围。

# Combines 2 slices
frame[2,3]==0000 

# From byte position 2 include 2 bytes (e.g. 2 and 3)
frame[2:2]==0000

# Provides byte range 2 through 3
frame[2-3]==0000

以下语法控制切片：

来源：https://www.wireshark.org/docs/man-pages/wireshark-filter.html

[i:j]    i = start_offset, j = length
[i-j]    i = start_offset, j = end_offset, inclusive.
[i]      i = start_offset, length = 1
[:j]     start_offset = 0, length = j
[i:]     start_offset = i, end_offset = end_of_field