This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

The following display filter works for my purposes, but has lots of false positives: tcp matches "\xff....\xfe"

A better way would be to match two null bytes, like: tcp matches "\xff\x00\x00..\xfe"

But then, since the string/input to matches is a null terminated string, the regex searches only for the \xff byte, the following \x00 ends the string :/

Is there any way i didn't thought of to include null bytes in the regex? Tried it with \0 and \000. Maybe some sort of (undocumented) special escape char?

Btw. tcp contains ff:00... doesn't work for me because i need the regex power of matching 2 "dont care" bytes (but dontcare/wildcard for contains would be nice tho too ^^)

asked 06 Apr '15, 14:40

topview's gravatar image

topview
21124
accept rate: 100%


Ok got it ;-) While it might be really usefull that Wireshark would not use NULL terminated c-strings (for a software that deals mostly with BINARY data and not text...), there is a simple solution:

[^\x01-\xFF] matches a null byte

Instead of tcp matches "\xff\x00\x00..\xfe" which wont work as intended,

use: tcp matches "\xff[^\x01-\xFF]{2}..\xfe"

permanent link

answered 08 Apr '15, 16:10

topview's gravatar image

topview
21124
accept rate: 100%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×10
×6
×6

question asked: 06 Apr '15, 14:40

question was seen: 2,662 times

last updated: 08 Apr '15, 16:10

p​o​w​e​r​e​d by O​S​Q​A