Binary Data Search

The .byte_test parameter allows to compare a byte with a specified value and is applied to data presented in binary or character format.

The general format is as follows:

.byte_test = <bytes>,<operator>,<value>,<offset>,[,<multiplier>][,<modifiers>];

Available parameters are provided in the table:

Name

Description

<bytes>

Number of bytes in the current position with the specified offset which are read from the packet. Can take the following values: 1, 2 or 4.

<size>

String length; specified for string data.

*

Use all characters till the first non-numeric character.

<operator>

Operator used to compare the byte with the specified value:

  • < --- less than

  • > --- greater than

  • = --- equal To;

  • != --- not equal to

  • & --- the result of the logical "AND" operation between <bytes> and <MASK> (a number which specifies the bits of interest) is not equal to 0

  • ~ --- the result of the logical "AND" operation between <bytes> and <MASK> is equal to 0

  • ^ --- the result of the logical "XOR" operation between <bytes> and <MASK> is not equal to 0.

Example:

.byte_test=1,&,0x80,0;

checks that the most significant bit of the first byte in the data field of the packet is set to 1.

<value>

The value used in comparison or packet size.

The value can be specified using prefix; arithmetic operators (+, -, *, /) can also be used.

<offset>

Offset in the data field of the packet:

  • relative: from the last match point.

If the offset parameter is not specified, then the analysis, by default, is performed from the beginning of the packet.

<post_offset>

The number of bytes to move the scan start point.

Important! Applied to .byte_jump.

<multiplier>

A numeric value by which the extracted number should be multiplied before comparison or moving the scan start point; this parameter is optional.

<modifiers>

Modifiers (optional):

  • big --- process data from the most significant bit

  • little --- process data from the least significant bit

  • string --- the packet contains string data

  • hex --- convert the data string to a hexadecimal number

  • dec --- convert the data string to a decimal number

  • oct --- convert the data string to a octal number

  • align --- round the number of converted bytes to the next 32-bit boundary; used for .byte_jump only (for example, 0 ➜ 0; 1,2,3,4 ➜ 4; 5,6 ➜ 8 etc.).

Example: comparing the first four bytes of each packet with the value of 1234: packet data have character format in decimal numeration system:

.byte_test=4,=,1234,0,string,dec;

The .byte_jump parameter moves the scan start point to the specified number of bytes. The general format for data processing from the most or the least significant bit (i.e. for big and little modifiers) is as follows:

.byte_jump = <bytes>,<offset>,<post_offset>[,<multiplier>][,<modifiers>];

For string data (string modifier):

.byte_jump = (<size> | *),<offset>,<post_offset>[,<multiplier>][,<modifiers>];