Wireshark · Wireshark-users: Re: [Wireshark-users] Display filter

["Irakli Natshvlishvili" <iraklin@xxxxxxxxx>]

Sake,

I modified the filter, "Via.*\x0d\x0aVia.*" does work for the capture I've posted.

But, will it work in case if 'Via' headers ARE NOT next to each other? 

I mean, if a message looks like this:

To: <sip:+17075317490@10.10.10.10>;tag=51d14022
From: 9094354499<
sip:9094354499@10.10.10.20>;tag=4c3d535f
Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bKD22343432336665633a787.0
Call-ID: 22e38f2bcdd854c64a1178aa5d6358b2
Via: SIP/2.0/UDP 10.10.10.100;branch=z9hG4bK-4fe05e85f80de1da371f137b46b23e25;psrrposn=1

Contact: <sip:4pbueHxLlmmKCczZ-2iiiSB3Y37p6oGYVI7qOS2l5TN2_Oan0FWp60466xKFg..@10.10.10.10 >
Via: SIP/2.0/UDP 10.10.10.50:5065;branch=z9hG4bK-d87543-9b1a2741582f6b580701-1-cHA4NmI1ZmE3MDEzOWRmZjFhMzViZg..-d87543-
CSeq: 342974572 INVITE
User-Agent: Tele2100

Will the above filter still work? Unfortunately I do not have message like this to test in Wireshark.

So, in essence my goal if following:

find a stingA  in the packet followed by stringB, when between stringA and stringB there could be 0 or more CRLF.

Which in plan English means that stringA and stringB could be in the same line (before CRLF), could be in in different lines.

Anyone can help? I'm not a regex guru.

--i.n.

On 5/2/07, Sake Blok <sake@xxxxxxxxxx> wrote:

On Wed, May 02, 2007 at 10:05:47PM -0800, Irakli Natshvlishvili wrote:
> I've just tried. Does not work.

Can you poste a small capture file with a few packets that you would like
to match against?

Cheers,


Sake


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

-- 
I.N.