On Wed, May 02, 2007 at 04:25:31PM -0800, Irakli Natshvlishvili wrote:
> It does, thanks.
>
> But I still have a problem applying the correct filter. For example, here is
> content of UDP packet:
>
> ---------------------------------------------------------------------------------
> SIP/2.0 200 OK
> To: <sip:[email protected]>;tag=51d14022
> From: 9094354499<sip:[email protected]>;tag=4c3d535f
> Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bKD22343432336665633a787.0
> Via: SIP/2.0/UDP 10.10.10.100
> ;branch=z9hG4bK-4fe05e85f80de1da371f137b46b23e25;psrrposn=1
> Via: SIP/2.0/UDP 10.10.10.50:5065
> ;branch=z9hG4bK-d87543-9b1a2741582f6b580701-1-cHA4NmI1ZmE3MDEzOWRmZjFhMzViZg..-d87543-
> Call-ID: 22e38f2bcdd854c64a1178aa5d6358b2
> CSeq: 342974572 INVITE
> Contact: <
> sip:4pbueHxLlmmKCczZ-2iiiSB3Y37p6oGYVI7qOS2l5TN2_Oan0FWp60466xKFg..@10.10.10.10
> >
> User-Agent: Tele2100
> ---------------------------------------------------------------------------------
>
> Look at rows #4-7. They start with "Via:" string
> I want to find all packets where "Via:" string occurs more then once, above
> packet is an example.
>
> But when I use filter
>
> udp matches "Via.*Via"
>
> It does not display anything.
>
> What I'm doing wrong?
Regular expressions are line based, so the "." (match any character) does
not match a CR/LF. You have to match against those yourself for it to
work.
Look at the following http-header:
Host: www.google.nl
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11)
If I use the filter 'http matches "Host: .*\015\012User-Agent: .*"', it
will filter out all the http-packets were the User-Agent header follows
the Host header. I use \015\012 (the octal representation of a CR/LF).
You could also use 'http matches "Host: .*\\r\\nUser-Agent: .*"', can
anyone explain why I need to escape the "\" with the \r and \n, but
I don't have to escape the \ in the octal representation?
So, back to your filter, if the Via: headers are put after one another
(as in your example), you could use 'udp matches "Via: .*\015\012Via: .*"'.
Hope this helps, Cheers,
Sake