This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

display filter using PCRE

0

Wonder if it is possible to use regular expression in display filter, for example, I need to find all HTTP requests whose "Host" headers are followed by an IP address instead of host name.

Something like the following PCRE (not perfect, I know):

Host: ([\d\.\:]+)\r\n

Thanks.

asked 07 May '15, 06:43

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

One Answer:

2

The "matches" operator offers PCRE matching. See the filters man page.

answered 07 May '15, 07:05

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for the tip. I used http.host matches "^[\\d\\.\\:]+$" and tcp and it worked well.

(07 May '15, 08:42) pktUser1001