Wireshark-users: Re: [Wireshark-users] Display filter

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 3 May 2007 07:36:53 +0200
On Wed, May 02, 2007 at 04:25:31PM -0800, Irakli Natshvlishvili wrote:
> It does, thanks.
> 
> But I still have a problem applying the correct filter. For example, here is
> content of UDP packet:
> 
> ---------------------------------------------------------------------------------
> SIP/2.0 200 OK
> To: <sip:[email protected]>;tag=51d14022
> From: 9094354499<sip:[email protected]>;tag=4c3d535f
> Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bKD22343432336665633a787.0
> Via: SIP/2.0/UDP 10.10.10.100
> ;branch=z9hG4bK-4fe05e85f80de1da371f137b46b23e25;psrrposn=1
> Via: SIP/2.0/UDP 10.10.10.50:5065
> ;branch=z9hG4bK-d87543-9b1a2741582f6b580701-1-cHA4NmI1ZmE3MDEzOWRmZjFhMzViZg..-d87543-
> Call-ID: 22e38f2bcdd854c64a1178aa5d6358b2
> CSeq: 342974572 INVITE
> Contact: <
> sip:4pbueHxLlmmKCczZ-2iiiSB3Y37p6oGYVI7qOS2l5TN2_Oan0FWp60466xKFg..@10.10.10.10
> >
> User-Agent: Tele2100
> ---------------------------------------------------------------------------------
> 
> Look at rows #4-7. They start with "Via:" string
> I want to find all packets where "Via:" string occurs more then once, above
> packet is an example.
> 
> But when I use filter
> 
> udp matches "Via.*Via"
> 
> It does not display anything.
> 
> What I'm doing wrong?

Regular expressions are line based, so the "." (match any character) does
not match a CR/LF. You have to match against those yourself for it to
work.

Look at the following http-header:

Host: www.google.nl
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) 

If I use the filter 'http matches "Host: .*\015\012User-Agent: .*"', it
will filter out all the http-packets were the User-Agent header follows
the Host header. I use \015\012 (the octal representation of a CR/LF).

You could also use 'http matches "Host: .*\\r\\nUser-Agent: .*"', can 
anyone explain why I need to escape the "\" with the \r and \n, but
I don't have to escape the \ in the octal representation?

So, back to your filter, if the Via: headers are put after one another
(as in your example), you could use 'udp matches "Via: .*\015\012Via: .*"'.

Hope this helps, Cheers,


Sake