# Datafiltering with wildcards

Hello,

is there any possibility to filter hex package data with wildcards? I'm looking for the datasequence: ?4:??:67:55 where ? is an arbitrary value.

1. I tried with data.data matches ".\x4.{2}\x67\x55" which didn't work because regular expressions don't work for data.
2. I tried with data contains, but couldn't find a wildcard sign.
3. I tried to save all packages to do the filtering with notepad++ regular expressions, but I don't know how to export all data packages in text-format.

Any ideas?

Thank you Dina

edit retag close merge delete

Sort by » oldest newest most voted

Perl is focused on characters so no easy way to filter on a nibble.

data.data  matches "[\x08,\x18,\x28,\x38,\x48,\x58,\x68,\x78,\x88,\x98,\xa8,\xb8,\xc8,\xd8,\xe8,\xf8].\\\x{1a}\\\x{1b}"


Syntax tips here in Bugzilla.
(Man page pointing to Perl Regular Expressions for future reference)

more

Hallo bubbasnmp,

thank you for your reply. I'm quite familar with PHP-regular expressions which seem to be similar to Perl. Your suggestion on nibbles seems to work: [\x08\x18\x28\x38] etc.

But how then to do a wildcard? In PHP regular expressions I just put a dot (.). But with wireshark the dot doesn't work. At least not for hex-data. Nevertheless can't be the intention of regular expressions to put 16^2=256 possible hexvalues into square brackets to get a wildcard!?

Three backslashes "\\\x34" don't work at all in my wireshark version 3.2.3.0. The expression is just colored red.

In your above example, I don't understand the dot after the square brackets and the hexvalues in curly brackets:

 ].\\\x{1a}\\\x{1b}


Sincerely Dina

( 2020-05-26 21:07:33 +0000 )edit

The Perl Regular Expressions suggests braces for clarity:

Similarly, \xnn, where nn are hexadecimal digits, matches the character whose native ordinal is nn. Again, not using exactly two digits is a recipe for disaster, but you can use \x{...} to specify any number of hex digits.


And "." matches a single character.

The example shows a search for "18 19 1a 1b" where the "[...]" section is a nibble match, a single character "." to wildcard the 19 and hex matches for 1a and 1b.

The sequence (?4:??:67:55) you were searching for would be:

data.data  matches "[\x04,\x14,\x24,\x34,\x44,\x54,\x64,\x74,\x84,\x94,\xa4,\xb4,\xc4,\xd4,\xe4,\xf4].\\\x{67}\\\x{55}"

( 2020-05-26 21:26:32 +0000 )edit

Thank you very much!

( 2020-06-02 14:56:09 +0000 )edit

Which field contains your data? There is the string() function to transform a field value to a string. This makes it possible to do a regex on that field. Here is an example:

string(arp.src.hw_mac) ~ ".c:..:9d:77:0f:4b"


(where the . is a wildcard for any character, so any nibble in this case)

Please note that Wireshark uses the GNU regular expression library and therefor the syntax is similar but not exactly the PCRE syntax, see the link to the library for more details on the syntax.

more

string() would be a great solution but not supported for data.data field type FT_BYTES
For fields where it is supported, nice examples and regex use in the wireshark-filter man page.

( 2020-05-27 14:31:12 +0000 )edit

Check, I assumed Dina used data.data as a workaround, but if that is indeed the context in which the search needs to be done, the string() function won't work (question is: should it also work for FT_BYTES type fields, then an enhancement request on bugs.wireshark.org would be in order)

( 2020-05-28 09:35:11 +0000 )edit

It was discussed and left for future work.

( 2020-05-28 14:00:32 +0000 )edit