I am studying a PCAP that is a sample of a LLMNR poisoning attack. The following filter works:
udp.port == 5355 && dns.flags.response == True && ( ip.source ne dns.resp.name )
I would like to make the ip.source ne dns.resp.name comparison case insensitive. I have tried the following but these turn the filter input field to red which I assume to be some sort of syntax error.
udp.port == 5355 && dns.flags.response == True && ( ip.source matches dns.resp.name )
udp.port == 5355 && dns.flags.response == True && ( ip.source matches "(?-i)cldc" dns.resp.name )
udp.port == 5355 && dns.flags.response == True && ( upper(string(ip.source)) != upper(string(dns.resp.name)) )
How do I make the ip.source ne dns.resp.name comparison case insensitive?