Ask Your Question

For filters, is there a facility to include the next packet in the sequence for a selected criteria?

asked 2018-03-23 18:42:06 +0000

dave gravatar image

updated 2018-03-25 02:56:14 +0000

Can we have regular expression like this? Eg 'cond' is my condition and I can say something like: cond || (cond +1) So it displays all packets meeting my cond and also displays the packet next to the packet meeting the cond.

edit retag flag offensive close merge delete


Have you looked at mate?

cmaynard gravatar imagecmaynard ( 2018-03-23 21:15:03 +0000 )edit

cmaynard, thanks for your response. I am exploring MATE now. As far as I understand, MATE works on protocol information inbuilt in the tool. Sometimes we need to check a few patterns which are not bound by protocol. So having more flexibility in regular expressions is far more valuable than having the tool know the protocol.

dave gravatar imagedave ( 2018-03-25 02:55:34 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2018-03-25 18:52:46 +0000

Guy Harris gravatar image

1) Filter expressions aren't not regular expressions in the Kleene sense, they're tests of the values of protocol fields, although Kleene-style regular-expression matching is one type of test that can be performed, using the "matches" operator.

2) That wouldn't be a question of "flexibility", it would be a question of a massive revamp of the way filtering is done, as the notion that a filter applies only to the contents of the packet being filtered, not to subsequent or previous packets, is fundamentally built into the filtering code.

It might even end up best being done as a mechanism separate from the filter-evaluation mechanism - a mechanism such as MATE.

3) If "the tool" means Wireshark, "the tool" won't be able to do anything for you if it doesn't "know the protocol", in the sense of knowing how to dissect fields in the protocol. MATE doesn't have wired into it knowledge of particular protocols; it has a language that allows you to specify named fields for any protocol that Wireshark can dissect. However, the goal of MATE is to allow patterns that involve relationships between the values of named fields, where those relationships aren't tested by the dissector logic, to be specified. You inherently have to have patterns that are "bound by the protocol" in the sense of testing fields in the protocol; what MATE does is let you have patterns that aren't bound by the logic of the dissector.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-03-23 18:42:06 +0000

Seen: 48 times

Last updated: Mar 25