It does, thanks.
But I still have a problem applying the correct filter. For example, here is content of UDP packet:
---------------------------------------------------------------------------------
SIP/2.0 200 OK
To: <
sip:[email protected]>;tag=51d14022
From: 9094354499<
sip:[email protected]>;tag=4c3d535f
Via: SIP/2.0/UDP
10.10.10.10:5060;branch=z9hG4bKD22343432336665633a787.0
Via: SIP/2.0/UDP
10.10.10.100;branch=z9hG4bK-4fe05e85f80de1da371f137b46b23e25;psrrposn=1
Via: SIP/2.0/UDP
10.10.10.50:5065;branch=z9hG4bK-d87543-9b1a2741582f6b580701-1-cHA4NmI1ZmE3MDEzOWRmZjFhMzViZg..-d87543-
Call-ID: 22e38f2bcdd854c64a1178aa5d6358b2
CSeq: 342974572 INVITE
Contact: <
sip:4pbueHxLlmmKCczZ-2iiiSB3Y37p6oGYVI7qOS2l5TN2_Oan0FWp60466xKFg..@10.10.10.10>
User-Agent: Tele2100
---------------------------------------------------------------------------------
Look at rows #4-7. They start with "Via:" string
I want to find all packets where "Via:" string occurs more then once, above packet is an example.
But when I use filter
udp matches "Via.*Via"
It does not display anything.
What I'm doing wrong?
Thanks,
--i.n.
On 5/2/07,
Gerald Combs <gerald@xxxxxxxxxxxxx> wrote:
The Windows version ships with PCRE. Did you try typing in the filter,
and does it turn green?
Irakli Natshvlishvili wrote:
> Yaah, I dug into docs and found that regex could be used in display filters.
>
> Unfortunately, windows installer for Wireshark does not have PCRE
> support. Am I right?
>
> Do I understand correctly, that I need re-compile wireshark from the
> source under windows to have regex support?
>
> If yes, than, well, sorry, I can't do it...
>
> --i.n.
>
> On 5/2/07, *Gerald Combs* <gerald@xxxxxxxxxxxxx
> <mailto:
gerald@xxxxxxxxxxxxx>> wrote:
>
> Irakli Natshvlishvili wrote:
> > Question:
> >
> > Using display filters is there a way to find if a particular string
> > occurs more then once in a packet?
> >
> > For example, if there is an UDP packet which has payload "this is one
> > 1234 two one test", then filtering via UDP contains "one" will
> display
> > this UDP packet.
> >
> > But I want to filter ALL packets, where this particular string occurs
> > more then once.
> >
> > Any way do do it?
>
> If you have PCRE support compiled in, you can use something like
>
> udp matches "one.*one"
>
> That translates to "the string 'one' followed by zero or more characters
> followed by the string 'one'." The "matches" operator supports
> Perl-compatible regular expressions, which are described at
>
http://perldoc.perl.org/perlre.html .
>
> You can check for PCRE support via "Help->About Wireshark" or by using
> the "-v" command-line flag. You can also type in the filter above and
> see if the display filter entry turns green.
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
<mailto:Wireshark-users@xxxxxxxxxxxxx>
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
>
>
> --
> I.N .
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
--
I.N.
