Ask Your Question
0

Datafiltering with wildcards

asked 2020-05-26 11:43:41 +0000

Dina gravatar image

updated 2020-05-26 21:13:06 +0000

Hello,

is there any possibility to filter hex package data with wildcards? I'm looking for the datasequence: ?4:??:67:55 where ? is an arbitrary value.

  1. I tried with data.data matches ".\x4.{2}\x67\x55" which didn't work because regular expressions don't work for data.
  2. I tried with data contains, but couldn't find a wildcard sign.
  3. I tried to save all packages to do the filtering with notepad++ regular expressions, but I don't know how to export all data packages in text-format.

Any ideas?

Thank you Dina

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-05-26 14:47:20 +0000

Chuckc gravatar image

updated 2020-05-26 17:46:32 +0000

Perl is focused on characters so no easy way to filter on a nibble.

data.data  matches "[\x08,\x18,\x28,\x38,\x48,\x58,\x68,\x78,\x88,\x98,\xa8,\xb8,\xc8,\xd8,\xe8,\xf8].\\\x{1a}\\\x{1b}"


Syntax tips here in Bugzilla.
(Man page pointing to Perl Regular Expressions for future reference)

edit flag offensive delete link more

Comments

Hallo bubbasnmp,

thank you for your reply. I'm quite familar with PHP-regular expressions which seem to be similar to Perl. Your suggestion on nibbles seems to work: [\x08\x18\x28\x38] etc.

But how then to do a wildcard? In PHP regular expressions I just put a dot (.). But with wireshark the dot doesn't work. At least not for hex-data. Nevertheless can't be the intention of regular expressions to put 16^2=256 possible hexvalues into square brackets to get a wildcard!?

Three backslashes "\\\x34" don't work at all in my wireshark version 3.2.3.0. The expression is just colored red.

In your above example, I don't understand the dot after the square brackets and the hexvalues in curly brackets:

 ].\\\x{1a}\\\x{1b}

What is your intention?

Sincerely Dina

Dina gravatar imageDina ( 2020-05-26 21:07:33 +0000 )edit

The Perl Regular Expressions suggests braces for clarity:

Similarly, \xnn, where nn are hexadecimal digits, matches the character whose native ordinal is nn. Again, not using exactly two digits is a recipe for disaster, but you can use \x{...} to specify any number of hex digits.

And "." matches a single character.

The example shows a search for "18 19 1a 1b" where the "[...]" section is a nibble match, a single character "." to wildcard the 19 and hex matches for 1a and 1b.

The sequence (?4:??:67:55) you were searching for would be:

data.data  matches "[\x04,\x14,\x24,\x34,\x44,\x54,\x64,\x74,\x84,\x94,\xa4,\xb4,\xc4,\xd4,\xe4,\xf4].\\\x{67}\\\x{55}"
Chuckc gravatar imageChuckc ( 2020-05-26 21:26:32 +0000 )edit

Thank you very much!

Dina gravatar imageDina ( 2020-06-02 14:56:09 +0000 )edit
0

answered 2020-05-27 09:43:04 +0000

SYN-bit gravatar image

Which field contains your data? There is the string() function to transform a field value to a string. This makes it possible to do a regex on that field. Here is an example:

string(arp.src.hw_mac) ~ ".c:..:9d:77:0f:4b"

(where the . is a wildcard for any character, so any nibble in this case)

Please note that Wireshark uses the GNU regular expression library and therefor the syntax is similar but not exactly the PCRE syntax, see the link to the library for more details on the syntax.

edit flag offensive delete link more

Comments

string() would be a great solution but not supported for data.data field type FT_BYTES
For fields where it is supported, nice examples and regex use in the wireshark-filter man page.

Chuckc gravatar imageChuckc ( 2020-05-27 14:31:12 +0000 )edit

Check, I assumed Dina used data.data as a workaround, but if that is indeed the context in which the search needs to be done, the string() function won't work (question is: should it also work for FT_BYTES type fields, then an enhancement request on bugs.wireshark.org would be in order)

SYN-bit gravatar imageSYN-bit ( 2020-05-28 09:35:11 +0000 )edit

It was discussed and left for future work.

Chuckc gravatar imageChuckc ( 2020-05-28 14:00:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-05-26 11:43:41 +0000

Seen: 5,043 times

Last updated: May 27 '20