|-----Original Message-----
|From: Bryan.Cromwell@xxxxxxxxxxxxx
|
|
|Good Day All,
|
|Can someone possibly help me. I am trying to come up with a
|display filter, but have been unsuccessful.
|
|I am trying to filter on the Message section of a smtp packet.
|Here is what I see
|
|Frame
|Ethernet
|IP
|TCP
|SMTP ----\/
| Message: Received: from machine.hostname.com
|
|I am trying to wrote a couple of different filters for
|"Recieved: from" but it don't return the correct results.
|
|I have tried tcp[42:1]=52 trying to find the "R" that didn't work
|smtp contains "Recieved:" didn't work
|
|Any Idea's??
First, it is "Received" not "Recieved" :)
^^ ^^
The "contains" operation is case insensitive. You can use the "matches"
operator for more complex pattern matches, including case sensitive matches.
The following may help:
smtp matches "(?i)received[:] from machine.hostname.com"
The format of Perl-Compatible regular expressions as used in the "matches"
display filter operation, is described at http://www.pcre.org/.
You also may want to check whether TCP reassembly is enabled (go to Edit->
Preferences, open the "Protocols" tree, go to TCP). The same is true for the
SMPP dissector (go to SMPP and tick the reassembly option if it was not
ticked).
Regards,
Olivier
