Wireshark-users: Re: [Wireshark-users] Display filter

From: "Luis Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Fri, 4 May 2007 01:33:22 +0200

On 5/4/07, Irakli Natshvlishvili <iraklin@xxxxxxxxx> wrote:

Also, could you clarify what type of regex wireshark supports?

pcre

perl-compatible regexp as documented in http://perldoc.perl.org/perlre.html

Here is the example - if there is a one line string:

 sip:@10.10.10.20

sip matches "sip:[ ]+@xxxxxxxxxxx"

What would be regex which will find all packets matching "sip:" followed by
"@" when there are zero or more whitespace chars between "sip:" and "@"?

I want to find out if a regex when  a string1 is followed by 0 or more (1 or
more, exactly nn times, more then n, but less then m) whilespace (or
alphanumerical or CLRF) characters before string2 can be written for
wireshark. Above example is one of such case, my previous question, about
CLRF was another.

sip:[ ]+@([0-9]{1,3}\.){3}\.[0-9]{1,3}

 Thank everybody for your help.

--i.n.


On 5/3/07, Gerald Combs <gerald@xxxxxxxxxxxxx> wrote:
> Normally, the '.' metacharacter doesn't match line-ending characters.
> You can force it to span multiple lines using the 's' option, like so:
>
>     (?s)Via.*Via
>
>

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan