Wireshark · Wireshark-users: Re: [Wireshark-users] Display filter

["Irakli Natshvlishvili" <iraklin@xxxxxxxxx>]

Hank,

Thanks!

On 5/3/07, Hank Leininger <hlein@xxxxxxxxxxxxx> wrote:

On Fri, May 04, 2007 at 01:33:22AM +0200, Luis Ontanon wrote:
> On 5/4/07, Irakli Natshvlishvili <iraklin@xxxxxxxxx> wrote:
>
> > Also, could you clarify what type of regex wireshark supports?
> pcre
>
> > Here is the example - if there is a one line string:
> >
> >  sip:@10.10.10.20
> sip matches "sip:[ ]+@ 10.10.10.20"
>
> > What would be regex which will find all packets matching "sip:" followed by
> > "@" when there are zero or more whitespace chars between "sip:" and "@"?

Actually, for zero or more, you want *, not + (which is "one or more"):

  sip matches "sip:[ ]*@10.10.10.20"

> > I want to find out if a regex when  a string1 is followed by 0 or more (1 or
> > more, exactly nn times, more then n, but less then m) whilespace (or
> > alphanumerical or CLRF) characters before string2 can be written for
> > wireshark. Above example is one of such case, my previous question, about
> > CLRF was another.

  string1[\r\n\sa-zA-Z0-9]{0,30}string2

Adjust what's in the [ ]'s for whatever characters you want to accept in
the intervening space.  Curly braces say how many such tokens:

        {n,m}   At least n times, at most m times.
        {n,}    At least n times, no upper limit.
        {n}     Exactly n times
        {,m}    Nonsense (invalid)

Some suggested readings:

- man perlre, or Google, and search for "The following standard
  quantifiers are recognized"
- Mastering Regular Expressions, by Jeffrey Friedl.  Will hurt your head
  and teach you more than you ever wanted to know about RE's.

Thanks,

Hank

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

-- 
I.N.