Ask Your Question

Datafiltering with wildcards

asked 2020-05-26 11:43:41 +0000

Dina gravatar image

updated 2020-05-26 21:13:06 +0000


is there any possibility to filter hex package data with wildcards? I'm looking for the datasequence: ?4:??:67:55 where ? is an arbitrary value.

  1. I tried with matches ".\x4.{2}\x67\x55" which didn't work because regular expressions don't work for data.
  2. I tried with data contains, but couldn't find a wildcard sign.
  3. I tried to save all packages to do the filtering with notepad++ regular expressions, but I don't know how to export all data packages in text-format.

Any ideas?

Thank you Dina

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2020-05-26 14:47:20 +0000

Chuckc gravatar image

updated 2020-05-26 17:46:32 +0000

Perl is focused on characters so no easy way to filter on a nibble.  matches "[\x08,\x18,\x28,\x38,\x48,\x58,\x68,\x78,\x88,\x98,\xa8,\xb8,\xc8,\xd8,\xe8,\xf8].\\\x{1a}\\\x{1b}"

Syntax tips here in Bugzilla.
(Man page pointing to Perl Regular Expressions for future reference)

edit flag offensive delete link more


Hallo bubbasnmp,

thank you for your reply. I'm quite familar with PHP-regular expressions which seem to be similar to Perl. Your suggestion on nibbles seems to work: [\x08\x18\x28\x38] etc.

But how then to do a wildcard? In PHP regular expressions I just put a dot (.). But with wireshark the dot doesn't work. At least not for hex-data. Nevertheless can't be the intention of regular expressions to put 16^2=256 possible hexvalues into square brackets to get a wildcard!?

Three backslashes "\\\x34" don't work at all in my wireshark version The expression is just colored red.

In your above example, I don't understand the dot after the square brackets and the hexvalues in curly brackets:


What is your intention?

Sincerely Dina

Dina gravatar imageDina ( 2020-05-26 21:07:33 +0000 )edit

The Perl Regular Expressions suggests braces for clarity:

Similarly, \xnn, where nn are hexadecimal digits, matches the character whose native ordinal is nn. Again, not using exactly two digits is a recipe for disaster, but you can use \x{...} to specify any number of hex digits.

And "." matches a single character.

The example shows a search for "18 19 1a 1b" where the "[...]" section is a nibble match, a single character "." to wildcard the 19 and hex matches for 1a and 1b.

The sequence (?4:??:67:55) you were searching for would be:  matches "[\x04,\x14,\x24,\x34,\x44,\x54,\x64,\x74,\x84,\x94,\xa4,\xb4,\xc4,\xd4,\xe4,\xf4].\\\x{67}\\\x{55}"
Chuckc gravatar imageChuckc ( 2020-05-26 21:26:32 +0000 )edit

Thank you very much!

Dina gravatar imageDina ( 2020-06-02 14:56:09 +0000 )edit

answered 2020-05-27 09:43:04 +0000

SYN-bit gravatar image

Which field contains your data? There is the string() function to transform a field value to a string. This makes it possible to do a regex on that field. Here is an example:

string(arp.src.hw_mac) ~ ".c:..:9d:77:0f:4b"

(where the . is a wildcard for any character, so any nibble in this case)

Please note that Wireshark uses the GNU regular expression library and therefor the syntax is similar but not exactly the PCRE syntax, see the link to the library for more details on the syntax.

edit flag offensive delete link more


string() would be a great solution but not supported for field type FT_BYTES
For fields where it is supported, nice examples and regex use in the wireshark-filter man page.

Chuckc gravatar imageChuckc ( 2020-05-27 14:31:12 +0000 )edit

Check, I assumed Dina used as a workaround, but if that is indeed the context in which the search needs to be done, the string() function won't work (question is: should it also work for FT_BYTES type fields, then an enhancement request on would be in order)

SYN-bit gravatar imageSYN-bit ( 2020-05-28 09:35:11 +0000 )edit

It was discussed and left for future work.

Chuckc gravatar imageChuckc ( 2020-05-28 14:00:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-05-26 11:43:41 +0000

Seen: 63 times

Last updated: May 27