Yaah, I dug into docs and found that regex could be used in display filters.
Unfortunately, windows installer for Wireshark does not have PCRE support.
Am I right?
Do I understand correctly, that I need re-compile wireshark from the source
under windows to have regex support?
If yes, than, well, sorry, I can't do it...
--i.n.
On 5/2/07, Gerald Combs <[EMAIL PROTECTED]> wrote:
Irakli Natshvlishvili wrote:
> Question:
>
> Using display filters is there a way to find if a particular string
> occurs more then once in a packet?
>
> For example, if there is an UDP packet which has payload "this is one
> 1234 two one test", then filtering via UDP contains "one" will display
> this UDP packet.
>
> But I want to filter ALL packets, where this particular string occurs
> more then once.
>
> Any way do do it?
If you have PCRE support compiled in, you can use something like
udp matches "one.*one"
That translates to "the string 'one' followed by zero or more characters
followed by the string 'one'." The "matches" operator supports
Perl-compatible regular expressions, which are described at
http://perldoc.perl.org/perlre.html .
You can check for PCRE support via "Help->About Wireshark" or by using
the "-v" command-line flag. You can also type in the filter above and
see if the display filter entry turns green.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
--
I.N.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
