The following display filter works for my purposes, but has lots of false positives:
A better way would be to match two null bytes, like:
But then, since the string/input to matches is a null terminated string, the regex searches only for the \xff byte, the following \x00 ends the string :/
Is there any way i didn't thought of to include null bytes in the regex? Tried it with \0 and \000. Maybe some sort of (undocumented) special escape char?
asked 06 Apr '15, 14:40
Ok got it ;-) While it might be really usefull that Wireshark would not use NULL terminated c-strings (for a software that deals mostly with BINARY data and not text...), there is a simple solution:
answered 08 Apr '15, 16:10