This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it supported?

asked 26 Aug '15, 10:26

MrKang's gravatar image

MrKang
6113
accept rate: 0%

edited 27 Aug '15, 07:27

Hadriel's gravatar image

Hadriel
2.7k2939

What do you mean by "regex in wireshark" - what feature in Wireshark in particular are you trying to use a regex with? Display filters? And how are you trying to use a lookaround exactly?

I ask because yes, Wireshark's internal regex engine supports lookarounds - its internal engine is PCRE. (well... Glib's version of PCRE anyway)

(26 Aug '15, 17:56) Hadriel

Hi Hadriel. Yes i want to use lookaroud feature of regex in wireshark(v1.12.7). I have used below display filters.

http.request and http matches "(?m)(?<!\x0d)\x0a$"

I want to find packet that finished by OA only. But that display filters found packet that finished by 0D0A and 0A.

(27 Aug '15, 02:58) MrKang

It works for me.

I think the problem is that you're expecting the field "http" to only be the HTTP header portion of the message - i.e., the bytes highlighted when you click on the "HTTP" item in the display tree of the Packet Details window pane. But in fact the "http" field includes the body of the HTTP message as well, so your regex is getting executed against the entire HTTP message basically, and there's likely a "0A" byte, without a "0D" byte before it, inside the body somewhere.

Also, on a side note: Wireshark uses Glib's implementation of PCRE, which is real PCRE but with certain defaults changed. One of them is what a "newline" is by default, with respect to anchor matching for "^" and "$" in multiline mode. Glib treats either a carriage-return or linefeed or both as newlines by default for such cases (i.e., the same as "\R"), whereas I believe normal PCRE would only consider a linefeed ("\n" or "0A") as a "newline" for those cases. I don't think this would impact your match, but since your regex set multimode and used the "$" anchor, I thought I'd mention the difference.

permanent link

answered 27 Aug '15, 07:24

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

I have understood. I did packet check again. The packet that finished by 0D0A and 0A is body of the HTTP message. Thank you.:)

(27 Aug '15, 09:22) MrKang
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×10

question asked: 26 Aug '15, 10:26

question was seen: 1,961 times

last updated: 27 Aug '15, 09:22

p​o​w​e​r​e​d by O​S​Q​A