I'm trying to match A chat packet for a game using whatever regex wireshark uses. Apparently it's perl but I can not get it to work... The data starts with XX:XX:19, 19 being the packet type Here are a couple of examples http://imgur.com/a/MMuDh I've tried thins such as the following, with no consistency at all and im about to tear out my hair... "..:..:19" "......19" "..:..:\x19" "\x[0-9A-F.\x[0-9A-F.\x19] Closest I can get is just doing "\x19" but this picks up other stuff too... Please help me out here... asked 24 May '16, 14:23  pink_panther |
One Answer:
How about answered 24 May '16, 14:49  cmaynard ♦♦ showing 5 of 8 show 3 more comments |
This matches some stuff, but it doesnt even match the ones I'm looking for that it definitely should be matching... like the 2 in that screenshot.
If it helps i can upload a capture file to test on, this is driving me insane with its inconsistency....
Here: http://www.filedropper.com/capture_26
Exmaples of ones im trying to filter are: 8028, 15751, 18126, 18591, 21054, 25857, 26832, 28383, 30596
Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.
OK, I hadn't looked at your screenshot; they're generally frowned upon here.
Your capture file reveals a TCP stream of data. I think your best bet is to write a dissector for the TCP payload and then you'll be able to much more easily search for the packet type using a dedicated filter for it,
yourchat.packet_type == 0x19for example.If you can't or don't want to write one in C, you can probably write one in Lua. You might want to look at the examples on the wiki for inspiration. See https://wiki.wireshark.org/Lua/Examples
BTW, I think the reason why
".{2}\x19"didn't quite work is because of the \x00 preceding the \x19, and.won't match new-lines by default. You might trydata matches "(?s:.){2}\x19"instead.I still think you're better off writing a dissector for this chat protocol.
I'll look into that..
The GUI shows the data without the : and doesnt even match "19" so i dont understand what format the data is actually in??
is it 1 hex value per line? so maybe ".{2}\n.{2}\n\x19" ?
When I applied the
data matches "(?s:.){2}\x19"filter on your capture file, it matched 75 frames including all the frames you listed above, namely: 8028, 15751, 18126, 18591, 21054, 25857, 26832, 28383, 30596.Incidentally, if you apply a slightly modified filter of
data matches "^(?s:.){2}\x19", then it only matches the frames you listed, so perhaps that's more what you're looking for?Bingo bango!
Uhhhh so many thanks for this.
I thought I was good with regex, but it seems the way the data is displayed on the gui must differ from how it's actually represented.
Anyway, thank you VERY much for this. I'll be able to take it from here and do the rest of the stuff i need to do now.