How do I use the Display Filter to match the content of an 8-byte field?

Question

I've successfully used the Display Filter of NetMon to find a 4-byte long field in a captured trace, as follows,

RDPESC.RDPESCSmartCardCallWithMSRPCHeader.RDPDrGetStatusChangeWCall.RDPDrRedirScardcontextRef.ContextData  == 0x01035BA9

to find the hexadecimal sequence in the frame of "A9 5B 03 01".

Now, I'm trying to match the content of the same field where the field is now 8-bytes long, but I'm not able to do it.  The hexadecimal sequence for which I'm searching in the frame is "00 00 00 00 03 00 00 CD"

The following, which searches for an 8-byte number, doesn't find the frame:

RDPESC.RDPESCSmartCardCallWithMSRPCHeader.RDPDrGetStatusChangeWCall.RDPDrRedirScardcontextRef.ContextData  == 0xCD00000300000000

Neither do other combinations of bytes like

0x00000000CD000003 or

0x00000000030000CD or

0xCD000003

The "ContainsBin()" function also doesn't seem to help me (though I may not be using it correctly) because it doesn't find the frame with the specified ContextData either:

ContainsBin(RDPESC.RDPESCSmartCardCallWithMSRPCHeader.RDPDrGetStatusChangeWCall.RDPDrRedirScardcontextRef.ContextData,2,"00 00 00 00 03 00 00 CD")

Thanks in advance for any help,

-- Steve Ross

Answer 1

ContextData is defined as a struct.  The fact that a 4-byte match worked on it, is an oddity of the engine (one I wasn't aware of).  Instead I would use ContainsBin and reference the FrameData as the first param.  So for instance:

ContainsBin(FrameData, Hex, "00 00 00 00 03 00 00 CD")

If you need to narrow it down to this type of data, you can also AND in the field:

ContainsBin(FrameData, Hex, "00 00 00 00 03 00 00 CD")

AND

RDPESC.RDPESCSmartCardCallWithMSRPCHeader.RDPDrGetStatusChangeWCall.RDPDrRedirScardcontextRef.ContextData

Thanks,

Paul

Answer 2

Paul,

Your suggestion works well for me as I search for either four-byte or eight-byte contexts.  Thank you.

-- Steve Ross