filter cant detect exist packet

asked 2023-12-06 12:39:40 +0000

abu
3 ●1 ●2

updated 2023-12-07 03:13:18 +0000

this filter can detect following packet.

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11"

but this filter cannot detect.

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11.*\x24\x02"

packet containing \x24\x02 in line 0x02a0. anyone knows reason?

No.     Time                          Source                Destination           Protocol Length Info
  12465 2023-12-06 18:23:41.411340    203.141.241.23        192.168.1.4           TCP      872    54632 → 49181 [PSH, ACK] Seq=86956 Ack=4631 Win=507 Len=818

Frame 12465: 872 bytes on wire (6976 bits), 872 bytes captured (6976 bits) on interface \Device\NPF_{92F34A3C-A9F7-49AC-9AFB-65AD6643BC83}, id 0
Ethernet II, Src: NECPlatforms_d5:52:36 (00:0d:02:d5:52:36), Dst: VMware_e5:42:ec (00:0c:29:e5:42:ec)
Internet Protocol Version 4, Src: 203.141.241.23, Dst: 192.168.1.4
Transmission Control Protocol, Src Port: 54632, Dst Port: 49181, Seq: 86956, Ack: 4631, Len: 818
Data (818 bytes)

0000  09 00 00 00 00 00 00 ff ff 20 75 38 00 57 c0 43   ......... u8.W.C
0010  00 00 00 00 00 41 08 00 00 00 00 00 00 ff ff 20   .....A......... 
0020  75 38 00 e4 c0 43 00 00 00 00 00 41 08 00 00 00   u8...C.....A....
0030  00 00 00 ff ff b3 3b fd 00 4e 36 3e 00 00 00 00   ......;..N6>....
0040  00 c1 01 00 00 00 00 00 00 ff ff b3 3b fd 00 87   ............;...
0050  e6 4b 00 00 00 00 00 41 09 00 00 00 00 00 00 ff   .K.....A........
0060  ff 10 00 2a 12 00 00 63 1a 3c 18 3f 00 64 00 ff   ...*...c.<.?.d..
0070  ff 12 00 97 12 00 00 01 00 2c 00 0c 00 02 00 00   .........,......
0080  00 00 00 10 00 2a 12 00 00 63 1a 3c 18 3f 00 64   .....*...c.<.?.d
0090  00 ff ff 12 00 97 12 00 00 01 00 2c 00 0c 00 02   ...........,....
00a0  00 00 00 00 00 10 00 2a 12 00 00 63 1a 3c 18 3f   .......*...c.<.?
00b0  00 64 00 ff ff 12 00 97 12 00 00 01 00 2c 00 0c   .d...........,..
00c0  00 02 00 00 00 00 00 10 00 2a 12 00 00 63 1a 3c   .........*...c.<
00d0  18 3f 00 64 00 ff ff 10 00 2a 12 00 00 63 1a 3c   .?.d.....*...c.<
00e0  18 3f 00 64 00 ff ff 10 00 2a 12 00 00 63 1a 3c   .?.d.....*...c.<
00f0  18 3f 00 64 00 ff ff 10 00 2a 12 00 00 63 1a 3c   .?.d.....*...c.<
0100  18 3f 00 64 00 ff ff 10 00 2a 12 00 00 63 1a 3c   .?.d.....*...c.<
0110  18 3f 00 64 00 ff ff ab 00 07 14 ...

(more)

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2023-12-06 19:01:07 +0000

Chuckc
3023 ●6 ●608 ●20

updated 2023-12-06 19:20:09 +0000

From the WSUG 6.4.2. Comparing Values:

6.4.2.3. Possible Pitfalls Using Regular Expressions

Alternatively, a raw string syntax can be used. Such strings are prefixed with r or R and treat backslash as a literal character.

Using raw strings avoids most problem with the "matches" operator and double escape requirements.

pcre2syntax man page:

CHARACTER TYPES

. any character except newline; in dotall mode, any character whatsoever

OPTION SETTING

Changes of these options within a group are automatically cancelled at the end of the group.

...

(?s) single line (dotall)

Combining the information above into a filter:

data.data matches r"(?s)\xcc\xcc.{6,6}\x37\x11.*\x24\x02"

It's possible to do some regex testing in Edit -> Find Packet...:

image description

edit flag offensive delete link

Comments

it worked fine. thank you.

abu ( 2023-12-06 19:21:43 +0000 )edit

add a comment

answered 2023-12-06 18:17:48 +0000

abu
3 ●1 ●2

I solved it myself. It works fine,if use [] as follows

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11.*[\x24][\x02]"

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11.*[\x24]\x02"

following will not work

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11.*\x24[\x02]"

This may be a bug in the regular expression.

edit flag offensive delete link

add a comment