Ask Your Question
0

reg expressions in display filters

asked 2019-04-09 15:08:56 +0000

Rogerthered gravatar image

I need to create a display filter that will display packets between *:54 and *:56. In other words packets within the time frame of 54 minutes past the hour and 56 minutes after the hour.

This filter displays these packets between 20:54 and 20:56.

I'm looking for a specific pattern that may occur in that time frame.

Wireshark is not happy with the obvious "*" in the hour, (frame.time >= "Jan 27, 2019 *:54:27.690433000") && (frame.time <= "Jan 27, 2019 *:56:27.690433000")

Thanks for the help.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-04-09 18:50:51 +0000

Ross Jacobs gravatar image

updated 2019-04-09 19:12:30 +0000

I made a small python gist to create a pcap from packets where the output of a display filter matches a given regex. In your case, you would use:

python reshark.py <your.pcap> frame.time "Jan 27, 2019 \d{2}:\5[4-5]"

Obligatory reference to Regular vs Context-Free Grammars

edit flag offensive delete link more
0

answered 2019-04-09 18:14:18 +0000

SYN-bit gravatar image

Unfortunately you can't use a regex on a date/time field and neither can you convert the date/time field to a string with "string(frame.time)" (which does work on other types of fields). I see no way to solve this with display filters. However, using tshark you may be able to solve this.

To get a list of all frame numbers that match the timeframe *:54:00 to *:55:59 you can use:

tshark -r <file> -T fields -e frame.number -e frame.time | grep "2019 .*:5[45]:" | cut -f 1 | xargs

Then you can feed this into a second tshark command to extract the packets:

tshark -r <file> -w <newfile -Y "$( tshark -r pbx.pcapng -T fields -e frame.number -e frame.time | grep "2019 .*:5[45]:" | cut -f 1 | xargs )"
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-04-09 15:08:56 +0000

Seen: 2,002 times

Last updated: Apr 09 '19