System information

ManualsBrandsProxim ManualsComputer equipmentHarmony 802.11a Network Adapter 802.11a

231

232

233

234

235

236

237

238

239

240

224

The Tools Menu

Filtering for a Text, Hexadecimal, or Binary Pattern

When defining a Pattern rule, you can enter a specific offset from the beginning of a

packet header (or from the beginning of a protocol’s header), and a specific pattern or data

sequence to search for after that offset.

The offset is the decimal position to start looking for the sequence, in the byte order you

specify (Big endian or little endian, or most significant bit first or last, respectively). Enter

the offset as a decimal value. If you select Search Using Range you can enter a ending

offset beyond which the filter will not search for the pattern.

The pattern itself is the actual ASCII, Hex or Binary string that you are filtering for.

For example, to define an offset-sequencing filter to look for telnet packets (i.e., looking

for TCP port 23) in one direction, the offset would be 34 (14 bytes of Ethernet header + 20

more bytes of IP header) and the hex pattern would be 00 17 (23 in hex).

To create a Pattern rule for telnet in both directions, you could first tell Observer you want

to start the offset at the IP-TCP protocol portion of the header (specify IP-TCP in the

“Protocol” dropdown dialog), then tell Observer that you want the first offset to start

immediately (port number is the first field after the TCP header) by entering “0” in the

first offset field and “00 17” in the first “Offset Filter” area. This will filter for telnet

packets in the direction of source to destination. To see the telnet response packets, you

should enter a second offset (in the same dialog) for offset “2” and with a value of “00

17”. The second offset specifies the destination port (this is the reason for the offset of

“2”).

For hexadecimal patterns, you must enter the two-character representation

of each byte in the hex pattern, with a SPACE between. For the example

above, telnet is on port 23, which is represented as “00 17” in hex. Note the

SPACE between the “00” and the “17.”

For binary patterns, you must enter each byte as two 8-position bit strings

separated by a space (for example,”10011101 11001100”).

Lets you set a protocol header

as the origin for determining the

Enter the ASCII string, hex codes

or binary code strings that you want

offset other than the packet header

to search for.

Choose whether to limit the search to

a range, and enter the offset (& range).

Choose ASCII, Hex, or Binary search.