This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to search for a string with the format x.x-xxxxxxx?

0

I am looking for a version string with the format of x.x-xxxxxxx in a pcap file I have. I am fairly new to wireshark and I would like some help figuring out how to search for this.

asked 28 Sep '16, 11:20

patprime's gravatar image

patprime
6112
accept rate: 0%


One Answer:

0

Use Edit -> Find (or just press Ctrl-F), a new toolbar will show up below the "display filter" one. At the right, choose Packet bytes and Regular expression from the respective drop-down lists, and fill the regular expression describing your version string as precisely as possible into the search term field. Then each press of the Find button next to it will take you to next packet matching the condition, or the status line below will flash yellow to indicate that no such packet could be found.

As you haven't been exact about the possible values of x, x and xxxxxxx, I cannot give you a matching regular expression. If you know the exact string, just write it to the field, except that you have to use \. instead of just . because in regexp syntax, the . alone means "any character". The - may remain as-is in this simple expression, although in more complex cases it sometimes needs a special treatment as well.

EDIT:
Instead of the Find functionality, you can also use a display filter: frame matches regexp will display only frames whose contents interpreted as text matches the regexp.

answered 28 Sep '16, 11:55

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 04 Nov '16, 03:16

@sindy thanks for the answer! I did not specified the value because my goal is finding out every possible 11 char version string that looks x.x-xxxxxxx (thus x can be every number)

(04 Nov '16, 02:57) lcltornado

well, "every possible 11 char" sounds as if any symbol (including letters and special symbols) would be valid as x, while "x can be every number" sounds like "x can be any digit". The point is that if you can restrict the regular expression to digits x, you'll have less false positives.

(04 Nov '16, 03:02) sindy