Wireshark-users: Re: [Wireshark-users] Display filter

From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Thu, 03 May 2007 14:26:58 -0700
Normally, the '.' metacharacter doesn't match line-ending characters.
You can force it to span multiple lines using the 's' option, like so:

    (?s)Via.*Via

Irakli Natshvlishvili wrote:
> Sake,
> 
> I modified the filter, "Via.*\x0d\x0aVia.*" does work for the capture
> I've posted.
> 
> But, will it work in case if 'Via' headers ARE NOT next to each other?
> 
> I mean, if a message looks like this:
> 
> To: <sip:[email protected]
> <mailto:sip:[email protected]>>;tag=51d14022
> From: 9094354499< sip:[email protected]
> <mailto:sip:[email protected]>>;tag=4c3d535f
> Via: SIP/2.0/UDP 10.10.10.10:5060
> <http://10.10.10.10:5060/>;branch=z9hG4bKD22343432336665633a787.0
> Call-ID: 22e38f2bcdd854c64a1178aa5d6358b2
> Via: SIP/2.0/UDP 10.10.10.100
> <http://10.10.10.100/>;branch=z9hG4bK-4fe05e85f80de1da371f137b46b23e25;psrrposn=1
> 
> Contact:
> <sip:4pbueHxLlmmKCczZ-2iiiSB3Y37p6oGYVI7qOS2l5TN2_Oan0FWp60466xKFg..@10.10.10.10
> <mailto:sip:4pbueHxLlmmKCczZ-2iiiSB3Y37p6oGYVI7qOS2l5TN2_Oan0FWp60466xKFg..@10.10.10.10>>
> Via: SIP/2.0/UDP 10.10.10.50:5065
> <http://10.10.10.50:5065/>;branch=z9hG4bK-d87543-9b1a2741582f6b580701-1-cHA4NmI1ZmE3MDEzOWRmZjFhMzViZg..-d87543-
> 
> CSeq: 342974572 INVITE
> User-Agent: Tele2100
> 
> Will the above filter still work? Unfortunately I do not have message
> like this to test in Wireshark.
> 
> So, in essence my goal if following:
> 
> find a stingA in the packet followed by stringB, when between stringA
> and stringB there could be 0 or more CRLF.
> 
> Which in plan English means that stringA and stringB could be in the
> same line (before CRLF), could be in in different lines.
> 
> Anyone can help? I'm not a regex guru.
> 
> --i.n.
> 
> On 5/2/07, *Sake Blok* <sake@xxxxxxxxxx <mailto:sake@xxxxxxxxxx>> wrote:
> 
>     On Wed, May 02, 2007 at 10:05:47PM -0800, Irakli Natshvlishvili wrote:
>     > I've just tried. Does not work.
> 
>     Can you poste a small capture file with a few packets that you would
>     like
>     to match against?
> 
>     Cheers,
> 
> 
>     Sake
> 
> 
>     _______________________________________________
>     Wireshark-users mailing list
>     Wireshark-users@xxxxxxxxxxxxx <mailto:Wireshark-users@xxxxxxxxxxxxx>
>     http://www.wireshark.org/mailman/listinfo/wireshark-users
> 
> 
> 
> 
> -- 
> I.N.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users