It works for me.
I think the problem is that you're expecting the field "http" to only be the HTTP header portion of the message - i.e., the bytes highlighted when you click on the "HTTP" item in the display tree of the Packet Details window pane. But in fact the "http" field includes the body of the HTTP message as well, so your regex is getting executed against the entire HTTP message basically, and there's likely a "0A" byte, without a "0D" byte before it, inside the body somewhere.
Also, on a side note: Wireshark uses Glib's implementation of PCRE, which is real PCRE but with certain defaults changed. One of them is what a "newline" is by default, with respect to anchor matching for "^" and "$" in multiline mode. Glib treats either a carriage-return or linefeed or both as newlines by default for such cases (i.e., the same as "\R"), whereas I believe normal PCRE would only consider a linefeed ("\n" or "0A") as a "newline" for those cases. I don't think this would impact your match, but since your regex set multimode and used the "$" anchor, I thought I'd mention the difference.
answered 27 Aug '15, 07:24
Hadriel
2.7k●2●9●39
accept rate: 18%
What do you mean by "regex in wireshark" - what feature in Wireshark in particular are you trying to use a regex with? Display filters? And how are you trying to use a lookaround exactly?
I ask because yes, Wireshark's internal regex engine supports lookarounds - its internal engine is PCRE. (well... Glib's version of PCRE anyway)
Hi Hadriel. Yes i want to use lookaroud feature of regex in wireshark(v1.12.7). I have used below display filters.
http.request and http matches "(?m)(?<!\x0d)\x0a$"
I want to find packet that finished by OA only. But that display filters found packet that finished by 0D0A and 0A.