This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filtering data-text-lines with pattern

0

Hi,

Is there a way to use pattern filtering in tshark/Wireshark?

I would like to search for the HTTP requests by filtering all the data-text-lines that contain sequence of digits, for example 14521-12425-22 - is there something that i could use with filter: data-text-lines contains "XXXXX-XXXXX-XX" where X would be any digit from 0-9?

asked 06 Oct '16, 05:15

JSJ's gravatar image

JSJ
6112
accept rate: 0%


One Answer:

0

You can use the display filter "matches" operator and a regular expression.

For your pattern you would need an expression such as ... matches "[0-9]{5}-[0-9]{5}-[0-9]{2}"

answered 06 Oct '16, 06:32

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thank you, works perfect!

A follow up; can you define more digits/characters in the brackets, for example like [0-9,A-Z,a-z] ?

(06 Oct '16, 22:32) JSJ

the square brackets define a regex character class which can have any distinct characters in them, and using ranges as you've suggested.

However there are other definitions that are somewhat more succinct that mean the same thing, e.g. the posix character classes such as [[:alnum:]] or the generic character types such as \w, although this includes the "_".

The full syntax available for Wireshark regular expressions is shown here.

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(07 Oct '16, 02:32) grahamb ♦