I try to search for string in Pcap file captured by Wireshark tool. All string from/to sql server is formatted as Unicode String (UTF-16).
When the frame contains a Unicode string like "select", it is displayed as "s e l e c t", the space between characters is the null character \x00.
In case of using the following display filter:
frame contains "s e l e c t"
frames are not filtered.
so, I have to convert the string "select" to hex decimal manually, and run the display filter:
frame contains 73:00:65:00:6c:00:65:00:63:00:74:00
and it's working.
Also, I tried to use the find tool (in the tool bar) and picked Wide (UTF-16) and entered "s e l e c t", but it couldn't find the string.
I use WireShark v 2.2.0 sample of data
Q.Is there a simple way to filter for Unicode string direct instead of converting string to hex string
The "matches" operator, allows a filter to apply to a Perl-compatible regular expression (PCRE).
For the word "select", the display filter will be:
frame matches "s.e.l.e.c.t"
The dot here represent any character, in our case it's \x00 character
for case-insensitive like Select , SELECT :
frame matches "(?i)s.e.l.e.c.t"
(?i) performs a case-insensitive pattern match.
Q. What I should enter in the find tool when picking the textbox Wide (UTF-16) to search for the ASCII string e.g. "select" but as a Unicode string
Click the "find tool" from the tool bar, in dropdown list select the following:
Pick "Packet bytes" => pick "Narrow & Wide" => pick "String"
Enter the word to search for e.g. "select" in the textbox.
If the word exist, you find the frame data in "Pack Bytes" area