This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is regex lookaround supported in wireshark display filters?

0

Is it supported?

asked 26 Aug '15, 10:26

MrKang's gravatar image

MrKang
6113
accept rate: 0%

edited 27 Aug '15, 07:27

Hadriel's gravatar image

Hadriel
2.7k2939

What do you mean by "regex in wireshark" - what feature in Wireshark in particular are you trying to use a regex with? Display filters? And how are you trying to use a lookaround exactly?

I ask because yes, Wireshark's internal regex engine supports lookarounds - its internal engine is PCRE. (well... Glib's version of PCRE anyway)

(26 Aug '15, 17:56) Hadriel

Hi Hadriel. Yes i want to use lookaroud feature of regex in wireshark(v1.12.7). I have used below display filters.

http.request and http matches "(?m)(?<!\x0d)\x0a$"

I want to find packet that finished by OA only. But that display filters found packet that finished by 0D0A and 0A.

(27 Aug '15, 02:58) MrKang

One Answer:

1

It works for me.

I think the problem is that you're expecting the field "http" to only be the HTTP header portion of the message - i.e., the bytes highlighted when you click on the "HTTP" item in the display tree of the Packet Details window pane. But in fact the "http" field includes the body of the HTTP message as well, so your regex is getting executed against the entire HTTP message basically, and there's likely a "0A" byte, without a "0D" byte before it, inside the body somewhere.

Also, on a side note: Wireshark uses Glib's implementation of PCRE, which is real PCRE but with certain defaults changed. One of them is what a "newline" is by default, with respect to anchor matching for "^" and "$" in multiline mode. Glib treats either a carriage-return or linefeed or both as newlines by default for such cases (i.e., the same as "\R"), whereas I believe normal PCRE would only consider a linefeed ("\n" or "0A") as a "newline" for those cases. I don't think this would impact your match, but since your regex set multimode and used the "$" anchor, I thought I'd mention the difference.

answered 27 Aug '15, 07:24

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

I have understood. I did packet check again. The packet that finished by 0D0A and 0A is body of the HTTP message. Thank you.:)

(27 Aug '15, 09:22) MrKang