This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to search for a string with the format x.x-xxxxxxx?

0

I am looking for a version string with the format of x.x-xxxxxxx in a pcap file I have. I am fairly new to wireshark and I would like some help figuring out how to search for this.

asked 28 Sep '16, 11:20

patprime's gravatar image

patprime
6112
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
0

Use Edit -> Find (or just press Ctrl-F), a new toolbar will show up below the "display filter" one. At the right, choose Packet bytes and Regular expression from the respective drop-down lists, and fill the regular expression describing your version string as precisely as possible into the search term field. Then each press of the Find button next to it will take you to next packet matching the condition, or the status line below will flash yellow to indicate that no such packet could be found.

As you haven't been exact about the possible values of x, x and xxxxxxx, I cannot give you a matching regular expression. If you know the exact string, just write it to the field, except that you have to use \. instead of just . because in regexp syntax, the . alone means "any character". The - may remain as-is in this simple expression, although in more complex cases it sometimes needs a special treatment as well.

EDIT:
Instead of the Find functionality, you can also use a display filter: frame matches regexp will display only frames whose contents interpreted as text matches the regexp.

permanent link

answered 28 Sep '16, 11:55

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 04 Nov '16, 03:16

@sindy thanks for the answer! I did not specified the value because my goal is finding out every possible 11 char version string that looks x.x-xxxxxxx (thus x can be every number)

(04 Nov '16, 02:57) lcltornado

well, "every possible 11 char" sounds as if any symbol (including letters and special symbols) would be valid as x, while "x can be every number" sounds like "x can be any digit". The point is that if you can restrict the regular expression to digits x, you'll have less false positives.

(04 Nov '16, 03:02) sindy
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×349
×3
×2

question asked: 28 Sep '16, 11:20

question was seen: 1,790 times

last updated: 04 Nov '16, 03:16

Related questions

Difference between "Edit -> Find Packet..." and "tcp contains"

visited sites filter

Bypassing the wireshark/tshark interface to use the dissector

capture filter does not filter

Capture filter does not work

Trace only relevant traffic

tshark: write packets matching a filter

How to filter by Info column?

How do I track UDP packets from localhost?

Filter for SYN, PSH and RST flags

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A