Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-12-06 19:01:07 +0000

Chuckc gravatar image

From the 6.4.2. Comparing Values:

6.4.2.3. Possible Pitfalls Using Regular Expressions

Alternatively, a raw string syntax can be used. Such strings are prefixed with r or R and treat backslash as a literal character.

Using raw strings avoids most problem with the "matches" operator and double escape requirements.

pcre2syntax man page:

CHARACTER TYPES

. any character except newline; in dotall mode, any character whatsoever

OPTION SETTING

Changes of these options within a group are automatically cancelled at the end of the group.

...

(?s) single line (dotall)

Combining the information above into a filter:

data.data matches r"(?s)\xcc\xcc.{6,6}\x37\x11.*\x24\x02"

From the WSUG 6.4.2. Comparing Values:

6.4.2.3. Possible Pitfalls Using Regular Expressions

Alternatively, a raw string syntax can be used. Such strings are prefixed with r or R and treat backslash as a literal character.

Using raw strings avoids most problem with the "matches" operator and double escape requirements.

pcre2syntax man page:

CHARACTER TYPES

. any character except newline; in dotall mode, any character whatsoever

OPTION SETTING

Changes of these options within a group are automatically cancelled at the end of the group.

...

(?s) single line (dotall)

Combining the information above into a filter:

data.data matches r"(?s)\xcc\xcc.{6,6}\x37\x11.*\x24\x02"

From the WSUG 6.4.2. Comparing Values:

6.4.2.3. Possible Pitfalls Using Regular Expressions

Alternatively, a raw string syntax can be used. Such strings are prefixed with r or R and treat backslash as a literal character.

Using raw strings avoids most problem with the "matches" operator and double escape requirements.

pcre2syntax man page:

CHARACTER TYPES

. any character except newline; in dotall mode, any character whatsoever

OPTION SETTING

Changes of these options within a group are automatically cancelled at the end of the group.

...

(?s) single line (dotall)

Combining the information above into a filter:

data.data matches r"(?s)\xcc\xcc.{6,6}\x37\x11.*\x24\x02"

It's possible to do some regex testing in Edit -> Find Packet...:

image description