Wireshark-users: Re: [Wireshark-users] Display Filter Regex

Date: Sat, 3 Nov 2012 07:14:24 -0700 (PDT)
Hi,

Does any one have a suggestion for this? Please refer the below mail for more details. I would like to know if it is possible to use a Display Filter Regex in Wireshark.

Thanks.


From: NeonFlash <psykosonik_frequenz@xxxxxxxxx>
To: "wireshark-users@xxxxxxxxxxxxx" <wireshark-users@xxxxxxxxxxxxx>
Sent: Tuesday, October 30, 2012 8:51 AM
Subject: Display Filter Regex

Hi,

I want to use a display filter for all the HTTP GET Requests which are of the form as shown below:

index.php?something=

As far as I know, the _expression_, "http contains" does not support perl compatible regular expressions.

I am using this display filter at the moment:

http.request.method == "GET" && http contains "php?"

however, it also displays some GET requests to paths as shown below:

/images/nature/forest.jpg

Even though the GET Request to the above path does not contain the string, php?

My guess is that it displays those frames as well because they belong to the same tcp stream as the one which involves the GET request to php files?

http matches does support PCRE but then, I cannot use it with the above form.

It would be great to make this display filter more exact.

Thanks.