First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Datafiltering with wildcards

Hello,

is there any possibility to filter hex package data with wildcards? I'm looking for the datasequence: ?4:??:67:55 where ? is an arbitrary value.

  1. I tried with data.data matches ".\x4.{2}\x67\x55" which didn't work because regular expressions don't work for data.
  2. I tried with data contains, but couldn't find a wildcard sign.
  3. I tried to save all packages to do the filtering with notepad++ regular expressions, but I don't know how to export all data packages in text-format.

Any ideas?

Thank you Dina

Dina's avatar
1
Dina
asked 2020-05-26 11:43:41 +0000, updated 2020-05-26 21:13:06 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Which field contains your data? There is the string() function to transform a field value to a string. This makes it possible to do a regex on that field. Here is an example:

string(arp.src.hw_mac) ~ ".c:..:9d:77:0f:4b"

(where the . is a wildcard for any character, so any nibble in this case)

Please note that Wireshark uses the GNU regular expression library and therefor the syntax is similar but not exactly the PCRE syntax, see the link to the library for more details on the syntax.

SYN-bit's avatar
18.5k
SYN-bit
answered 2020-05-27 09:43:04 +0000
edit flag offensive 0 remove flag delete link
more

Comments

string() would be a great solution but not supported for data.data field type FT_BYTES
For fields where it is supported, nice examples and regex use in the wireshark-filter man page.

Chuckc's avatar Chuckc (2020-05-27 14:31:12 +0000) edit
more
  • delete

Check, I assumed Dina used data.data as a workaround, but if that is indeed the context in which the search needs to be done, the string() function won't work (question is: should it also work for FT_BYTES type fields, then an enhancement request on bugs.wireshark.org would be in order)

SYN-bit's avatar SYN-bit (2020-05-28 09:35:11 +0000) edit
more
  • delete

It was discussed and left for future work.

Chuckc's avatar Chuckc (2020-05-28 14:00:32 +0000) edit
more
  • delete
add a comment see more comments
0

Perl is focused on characters so no easy way to filter on a nibble.

data.data  matches "[\x08,\x18,\x28,\x38,\x48,\x58,\x68,\x78,\x88,\x98,\xa8,\xb8,\xc8,\xd8,\xe8,\xf8].\\\x{1a}\\\x{1b}"


Syntax tips here in Bugzilla.
(Man page pointing to Perl Regular Expressions for future reference)

Chuckc's avatar
3k
Chuckc
answered 2020-05-26 14:47:20 +0000, updated 2020-05-26 17:46:32 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hallo bubbasnmp,

thank you for your reply. I'm quite familar with PHP-regular expressions which seem to be similar to Perl. Your suggestion on nibbles seems to work: [\x08\x18\x28\x38] etc.

But how then to do a wildcard? In PHP regular expressions I just put a dot (.). But with wireshark the dot doesn't work. At least not for hex-data. Nevertheless can't be the intention of regular expressions to put 16^2=256 possible hexvalues into square brackets to get a wildcard!?

Three backslashes "\\\x34" don't work at all in my wireshark version 3.2.3.0. The expression is just colored red.

In your above example, I don't understand the dot after the square brackets and the hexvalues in curly brackets:

 ].\\\x{1a}\\\x{1b}

What is your intention?

Sincerely Dina

Dina's avatar Dina (2020-05-26 21:07:33 +0000) edit
more
  • delete

The Perl Regular Expressions suggests braces for clarity:

Similarly, \xnn, where nn are hexadecimal digits, matches the character whose native ordinal is nn. Again, not using exactly two digits is a recipe for disaster, but you can use \x{...} to specify any number of hex digits.

And "." matches a single character.

The example shows a search for "18 19 1a 1b" where the "[...]" section is a nibble match, a single character "." to wildcard the 19 and hex matches for 1a and 1b.

The sequence (?4:??:67:55) you were searching for would be:

data.data  matches "[\x04,\x14,\x24,\x34,\x44,\x54,\x64,\x74,\x84,\x94,\xa4,\xb4,\xc4,\xd4,\xe4,\xf4].\\\x{67}\\\x{55}"
Chuckc's avatar Chuckc (2020-05-26 21:26:32 +0000) edit
more
  • delete

Thank you very much!

Dina's avatar Dina (2020-06-02 14:56:09 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer