User Function - @pattern

Description:
This user function tests whether a trace record contains the specified byte pattern.  The pattern may specified as binary, hexadecimal, ASCII text, or EBCDIC text.  The search for this pattern may be limited by specifying an individual protocol within which to search, and by specifying byte offsets at which to begin and end the search within each record.

Syntax:
@pattern(DATA_PATTERN, FORMAT [, START_OFFSET [, END_OFFSET [, PROTOCOL_ID]]])

Arguments:
DATA_PATTERN A binary, hexadecimal, ASCII, or EBCDIC data pattern.  If the format is ASCII or EBCDIC, and there are any whitespace characters embedded in the text, the pattern must be enclosed in single quotes.  See the description of the FORMAT argument to determine valid input for each data format.
FORMAT A single character indicating the format of the DATA_PATTERN argument.  The following characters are valid:
  • B - If the pattern should be interpreted as binary data (only 1's or 0's are valid within the pattern).  If the pattern does not fall naturally on a byte boundary, its most significant bits will be padded with 0's until it falls within a one-byte boundary.
  • H - If the pattern should be interpreted as hexadecimal data (only digits 0-9 and characters A-F are valid).  If the pattern does not fall naturally on a byte boundary, its most significant bits will be padded with 0's until it falls within a one-byte boundary.
  • A - If the pattern should be interpreted as ASCII data (any ASCII character is valid).
  • E - If the pattern should be interpreted as EBCDIC data (any EBCDIC character is valid).
START_OFFSET An optional argument.  The offset in each data frame at which to begin testing for the specified data pattern.  This is useful if you know where the specified data pattern normally would be found in a frame, and you wish to avoid testing data located before this offset.  This offset is measured in bytes from the beginning of:
  • the data frame;  or
  • the protocol within the data frame specified by the optional PROTOCOL_ID argument.
If this parameter is not specified, testing will start at the first byte of each data frame, and continue through the end of the frame.  In this case, neither END_OFFSET nor PROTOCOL_ID may be specified.
END_OFFSET An optional argument.  The offset in each data frame at which the final test for the specified data pattern should occur.  This is useful if you know where the specified data pattern normally would be found in a frame, and you wish to avoid testing data located after this offset.  This offset is measured in bytes from the beginning of:
  • the data frame;  or
  • the protocol within the data frame specified by the optional PROTOCOL_ID argument.
If this parameter is not specified, testing will start at START_OFFSET bytes from the beginning of the frame, and will continue through the end of the frame.  In this case, PROTOCOL_ID may not be specified.
PROTOCOL_ID An optional argument.  The unique ID of the protocol within each data frame which should be tested for the specified data pattern.  If specified, both START_OFFSET and END_OFFSET are relative to the beginning of this protocol, and any frame data found within outer protocols is ignored.  Inner protocols and data are included in the search.  Outer protocols are excluded.

Returns:
True if the specified pattern is found within the specified region in the data frame, else false.

Examples:
The following four examples all test for the same data pattern, using different formats:

    @pattern(100111101010000, B)
    @pattern(4F50, H)
    @pattern('OP', A)
    @pattern('|&', E)

The following example tests for the data pattern FFFFFFFFFFFF starting with the second byte from the beginning of the frame, and continuing through the end of the frame:

    @pattern(FFFFFFFFFFFF, H, 2)

The following example tests for the same pattern as the previous example, but specifies that only the six bytes of data starting at the second byte from the beginning of the frame are tested:

    @pattern(FFFFFFFFFFFF, H, 2, 2)

The following example tests for the same pattern as the previous example, but specifies that starting and ending offsets should be relative to the IP protocol portion of the frame only:

    @pattern(FFFFFFFFFFFF, H, 2, 2, IP)

Tips:
The best performance will be achieved by limiting the test using START_OFFSET and END_OFFSET, since this can greatly limit the number of data pattern comparisons performed.  However, specifying PROTOCOL_ID generally will slow the function's performance.  Avoid this parameter unless it is necessary to properly scope the search to avoid false positive matches.

Copyright © 2000-2001 Golden Code Development Corporation.  ALL RIGHTS RESERVED.