Understanding patterns
Several pattern filters are available so you can extract just the packets you need. This is especially useful when investigating specific issues, such as when detecting a network intrusion.
pattern|patternSensitive|patternBin|patternHex|
patternRegex search pattern[(ip|tcp|
tcpData|udp|udpData:)#|#-#]
A search pattern may be ASCII (default), binary, or hex. It may start from an offset. The offset can be a specific location or range from the beginning of the:
Undefined: Packet (default, no packet component is specified)
ip: IP header
tcp: TCP header
tcpData: TCP data
udp: UDP header
udpData: UPD data
Any offset looks only at the specified location or range (if provided). For example, if you specify an offset of [14] the filter only searches byte 14 for the first character of the search pattern.
If you specify the offset range [14-20] the filter searches at byte 14 to byte 20 for the first character of the search pattern. The search may not necessarily end at byte 20; byte 20 is the last starting location. For instance, if your search is HTTP/1.1 (an 8-byte string) the bytes 14 through 20 are searched for H. If the H is found in any of those locations the next byte is searched for T and so on until the second 1 is found (which could be on byte 27 if the H was found on byte 20) or pattern stops matching.
If you want to search from a specific offset to the end of the packet, then use 32767 for the ending offset. For example, [14-32767].
ASCII patterns may be case-sensitive. The pattern filters are case-insensitive. If you need a case-sensitive use patternSensitive.
Search patterns that contain spaces must be surrounded by double quotes.
Any Unicode characters used in the filter are converted to your web browser's character encoding. If a different UTF-level is required, use hexadecimal characters in the filter pattern.
Hex filters work with or without spaces. These are the same search:
 
“41 70 65 78”
41706578
“0x41 0x70 0x65 0x78”
 
A binary pattern is one or more 8-bit numbers separated by a space. Each binary number is a sequence of 0, 1, or x. An x is a wildcard character that matches either the 0 or 1 bit.
Regular Expression filters allow you to use Unix/Perl-style regular expressions, which let you use a wildcard for single characters, groups of characters, ranges of characters and numeric values, and more. These searches may be slow, especially if the expression is complex or the data to be searched is large.
After the trace extraction completes the saved file can be opened in Observer to analyze the packets. If you open your trace in Observer one of two things happen with the filter. If this filter does not already exist a filter is created in the temp folder. If you want to permanently keep the filter in Observer you must move the filter out of the temp folder. If this filter already existed, the existing filter is automatically updated. The previous one is overwritten with the values from this one.
pattern
Case-insensitive ASCII strings can be searched for using the pattern keyword. If you need a case-sensitive search use patternSensitive.
 
pattern search pattern[(ip|tcp|
 
 
“HTTP/1.1”
"filter": pattern “HTTP/1.1”
A case-insensitive ASCII search of the entire packet for “HTTP/1.1.”
 
 
“HTTP/1.1” [tcpData]
"filter": pattern “HTTP/1.1” [tcpData]
A case-insensitive ASCII search of the starting at the beginning of the TCP Data section of the packet for “HTTP/1.1.”
 
 
“HTTP/1.1” [14]
"filter": pattern “HTTP/1.1” [14]
A case-insensitive ASCII search at byte 14 of the packet for “HTTP/1.1.”
 
 
“HTTP/1.1” [14-20]
"filter": pattern “HTTP/1.1” [14-20]
A case-insensitive ASCII search starting at byte 14 through byte 20 for “HTTP/1.1.”
 
 
“HTTP/1.1” [14-32767]
"filter": pattern “HTTP/1.1” [14-32767]
A case-insensitive ASCII search starting at byte 14 through the end of the packet for “HTTP/1.1.”
 
 
“HTTP/1.1” [tcpData:14-20]
"filter": pattern “HTTP/1.1” [tcpData:14-20]
A case-insensitive ASCII search starting at byte 14 through byte 20 of the TCP Data section for “HTTP/1.1.”
 
patternSensitive
Case-sensitive ASCII strings can be searched for using the patternSensitive keyword.
 
patternSensitive search pattern[(ip|tcp|
 
 
“SELECT Query”
"filter": patternSensitive “SELECT Query”
A case-sensitive ASCII search of the entire packet for “SELECT Query.”
 
 
“SELECT Query” [udpData]
"filter": patternSensitive “SELECT Query” [udpData]
A case-sensitive ASCII search of the starting at the beginning of the UDP Data section of the packet for “SELECT Query.”
 
 
“SELECT Query” [14]
"filter": patternSensitive “SELECT Query” [14]
A case-sensitive ASCII search at byte 14 of the packet for “SELECT Query.”
 
 
“SELECT Query” [14-20]
"filter": patternSensitive “SELECT Query” [14-20]
A case-sensitive ASCII search starting at byte 14 through byte 20 for “SELECT Query.” For more details about ranges, see Understanding patterns.
 
 
“SELECT Query” [14-32767]
"filter": patternSensitive “SELECT Query” [14-32767]
A case-sensitive ASCII search starting at byte 14 through the end of the packet for “SELECT Query.”
 
 
“SELECT Query” “SELECT Query” [udpData:14-20]
"filter": patternSensitive “SELECT Query” [udpData:14-20]
A case-sensitive ASCII search starting at byte 14 through byte 20 of the UDP Data section of the packet for “SELECT Query.”
 
patternBin
Binary bits can be searched for using the patternBin keyword.
 
A binary pattern is one or more 8-bit numbers separated by a space. Each binary number is a sequence of 0, 1, or x. An x is a wildcard character that matches either the 0 or 1 bit.
patternBin search pattern[(ip|tcp|
 
 
xxx1xxxx
"filter": patternBin xxx1xxxx
A search of the entire packet for a particular bit surrounded by wildcards.
 
 
xxx1xxxx [tcp]
"filter": patternBin xxx1xxxx [tcp]
A search of the TCP header for a particular bit surrounded by wildcards.
 
 
xxx1xxxx [tcp:13]
"filter": patternBin xxx1xxxx [tcp:13]
A search at byte 13 of the TCP header for a particular bit surrounded by wildcards.
 
 
“0101xxxx xxx1xxxx” [tcp:10-15]
"filter": patternBin “0101xxxx xxx1xxxx” [tcp:10-15]
A search starting at byte 10 through byte 15 of the TCP header for a particular bit pattern using wildcards. For more details about ranges, see Understanding patterns.
 
patternHex
Hex characters can be searched for using the patternHex keyword.
 
patternHex search pattern[(ip|tcp|
 
 
41706578
"filter": patternHex 41706578
A search of the entire packet for a particular hex pattern.
 
 
41706578 [ip]
"filter": patternHex 41706578 [ip]
A search of the IP header for a particular hex pattern.
 
 
"56 69 61 76 69" [13]
"filter": patternHex "56 69 61 76 69" [13]
A search at byte 13 of the entire packet for a particular hex pattern. The pattern contains a space and therefore must be enclosed in double quotes.
 
 
"56 69 61 76 69" [tcp:10-15]
"filter": patternHex "56 69 61 76 69" [tcp:10-15]
A search starting at byte 10 through byte 15 of the TCP header for a particular hex pattern. For more details about ranges, see Understanding patterns.
 
patternRegex
Regular expressions can be used for a search using the patternRegex keyword.
 
Regular Expression filters allow you to use Unix/Perl-style regular expressions, which let you use a wildcard for single characters, groups of characters, ranges of characters and numeric values, and more. These searches may be slow, especially if the expression is complex or the data to be searched is large.
patternRegex search pattern[(ip|tcp|
 
 
/\d+ABCD/
"filter": patternRegex "/\d+ABCD/"
A search of the entire packet using a regular expression looking any number (or group of numbers) followed by ABCD. The / at the beginning and end is a delimiter. If your regular expression contains / it must be escaped with \.
 
 
/\d+ABCD/i
"filter": patternRegex "/\d+ABCD/i"
A case-insensitive search of the entire packet using a regular expression looking any number (or group of numbers) followed by ABCD. The / at the beginning and end is a delimiter. If your regular expression contains / it must be escaped with \.