On Sat, Nov 3, 2012 at 9:14 AM, NeonFlash <psykosonik_frequenz@xxxxxxxxx> wrote:
> ________________________________
> From: NeonFlash <psykosonik_frequenz@xxxxxxxxx>
> To: "wireshark-users@xxxxxxxxxxxxx" <wireshark-users@xxxxxxxxxxxxx>
> Sent: Tuesday, October 30, 2012 8:51 AM
> Subject: Display Filter Regex
>
> Hi,
>
> I want to use a display filter for all the HTTP GET Requests which are of
> the form as shown below:
>
> index.php?something=
>
> As far as I know, the expression, "http contains" does not support perl
> compatible regular expressions.
>
> I am using this display filter at the moment:
>
> http.request.method == "GET" && http contains "php?"
>
> however, it also displays some GET requests to paths as shown below:
>
> /images/nature/forest.jpg
>
> Even though the GET Request to the above path does not contain the string,
> php?
>
> My guess is that it displays those frames as well because they belong to the
> same tcp stream as the one which involves the GET request to php files?
>
> http matches does support PCRE but then, I cannot use it with the above
> form.
>
> It would be great to make this display filter more exact.
>
> Thanks.
You should check only the URI:
http.request.method == "GET" && http.request.full_uri matches "index\.php\?.*="
http.request.method == "GET" && http.request.full_uri contains "index.php?"
