This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I’ve been trying to get a filter to match a sequence that can appear at any offset but follows a pattern of two set values, a random value, and a final set value.

Tried the usual suspects like:

data.data contains a4:c3:$$:b2
data.data contains a4:c3:??:b2
data.data contains a4:c3:*:b2
data.data contains a4:c3:[00-ff]:b2
data.data contains a4:c3:[!00]:b2

Tried replacing contains with matches.

How would I go about doing this?

Thank you.

asked 15 Feb '15, 20:55

screenname123049234583's gravatar image

screenname12...
6113
accept rate: 0%

edited 15 Feb '15, 20:59


contains is a plain string search. What you are looking for is matches (regular expressions):

http://wiki.wireshark.org/DisplayFilters

I have not tested the following, but I think it should work.

data.data matches "a4:c3:..:b2"

However, if the data is binary, you'll have to escape the HEX representation

data.data matches "\xa4.\xc3...\xb2"

I did NOT escape ":" as I don't know if that's an ASCII char in your example, so I used '.' instead.

Regards
Kurt

permanent link

answered 16 Feb '15, 06:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Feb '15, 06:28

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×7
×5

question asked: 15 Feb '15, 20:55

question was seen: 8,535 times

last updated: 16 Feb '15, 06:28

p​o​w​e​r​e​d by O​S​Q​A