I am trying to do a regex in wireshark on the following http header and want to filter the ones with an empty value. User-Agent: in the trace it shows User-Agent: \r\n I tried a regex like the following to match User-Agent: followed by a space, then end of line. frame matches "User-Agent:[\s]$" but it doesnt work. Can someone advise whats wrong? thanks asked 26 Jun '13, 15:28  brumik |
2 Answers:
I believe the "$" will anchor the regex to the end of the whole frame, not one particular line in the frame. Could you try: answered 27 Jun '13, 09:20  SYN-bit ♦♦ edited 27 Jun '13, 15:11 |
Please try this:
Regards answered 26 Jun '13, 16:35  Kurt Knochner ♦ thanks, frame matches "User-Agent: \r\n$" it still didnt match though. However http.user_agent == "" matches it but I wanted to use a regex. (27 Jun '13, 00:25) brumik Correction I meant: frame matches "User-Agent: \r\n$" still didnt do the trick (27 Jun '13, 00:27) brumik @brumik, Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information. (27 Jun '13, 02:27) grahamb ♦ did you try 'double backslash'? Only that works in my test capture file.
instead of
(27 Jun '13, 05:50) Kurt Knochner ♦ Yes I did, strangely enough it didn't match with double backslash either. (27 Jun '13, 08:53) brumik it does for me. What is your Wireshark version? (27 Jun '13, 13:16) Kurt Knochner ♦ showing 5 of 6 show 1 more comments |
I assume you meant "matches" ? but yes it did work without the $ Also without the \r\n at the start. Thanks everyone for the help.
Yes I did, it's corrected :-)
Glad the filter works for you!
If a response answers your question, please mark it as the accepted answer for the benefit of others. Refer to the FAQ for more information.