locked
How do I use the Display Filter to match the content of an 8-byte field? RRS feed

  • Question

  • I've successfully used the Display Filter of NetMon to find a 4-byte long field in a captured trace, as follows,

    RDPESC.RDPESCSmartCardCallWithMSRPCHeader.RDPDrGetStatusChangeWCall.RDPDrRedirScardcontextRef.ContextData  == 0x01035BA9

    to find the hexadecimal sequence in the frame of "A9 5B 03 01".

    Now, I'm trying to match the content of the same field where the field is now 8-bytes long, but I'm not able to do it.  The hexadecimal sequence for which I'm searching in the frame is "00 00 00 00 03 00 00 CD"

    The following, which searches for an 8-byte number, doesn't find the frame:

    RDPESC.RDPESCSmartCardCallWithMSRPCHeader.RDPDrGetStatusChangeWCall.RDPDrRedirScardcontextRef.ContextData  == 0xCD00000300000000

    Neither do other combinations of bytes like

    0x00000000CD000003 or

    0x00000000030000CD or

    0xCD000003

    The "ContainsBin()" function also doesn't seem to help me (though I may not be using it correctly) because it doesn't find the frame with the specified ContextData either:

    ContainsBin(RDPESC.RDPESCSmartCardCallWithMSRPCHeader.RDPDrGetStatusChangeWCall.RDPDrRedirScardcontextRef.ContextData,2,"00 00 00 00 03 00 00 CD")

    Thanks in advance for any help,

    -- Steve Ross

    Thursday, April 19, 2012 4:39 PM

Answers

  • ContextData is defined as a struct.  The fact that a 4-byte match worked on it, is an oddity of the engine (one I wasn't aware of).  Instead I would use ContainsBin and reference the FrameData as the first param.  So for instance:

    ContainsBin(FrameData, Hex, "00 00 00 00 03 00 00 CD")

    If you need to narrow it down to this type of data, you can also AND in the field:

    ContainsBin(FrameData, Hex, "00 00 00 00 03 00 00 CD")

    AND

    RDPESC.RDPESCSmartCardCallWithMSRPCHeader.RDPDrGetStatusChangeWCall.RDPDrRedirScardcontextRef.ContextData

    Thanks,

    Paul

    • Marked as answer by Steve Ross-1 Tuesday, April 24, 2012 5:02 PM
    Tuesday, April 24, 2012 1:46 PM

All replies

  • ContextData is defined as a struct.  The fact that a 4-byte match worked on it, is an oddity of the engine (one I wasn't aware of).  Instead I would use ContainsBin and reference the FrameData as the first param.  So for instance:

    ContainsBin(FrameData, Hex, "00 00 00 00 03 00 00 CD")

    If you need to narrow it down to this type of data, you can also AND in the field:

    ContainsBin(FrameData, Hex, "00 00 00 00 03 00 00 CD")

    AND

    RDPESC.RDPESCSmartCardCallWithMSRPCHeader.RDPDrGetStatusChangeWCall.RDPDrRedirScardcontextRef.ContextData

    Thanks,

    Paul

    • Marked as answer by Steve Ross-1 Tuesday, April 24, 2012 5:02 PM
    Tuesday, April 24, 2012 1:46 PM
  • Paul,

    Your suggestion works well for me as I search for either four-byte or eight-byte contexts.  Thank you.

    -- Steve Ross

    Tuesday, April 24, 2012 5:04 PM