First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

filter cant detect exist packet

this filter can detect following packet.

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11"

but this filter cannot detect.

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11.*\x24\x02"

packet containing \x24\x02 in line 0x02a0. anyone knows reason?

No.     Time                          Source                Destination           Protocol Length Info
  12465 2023-12-06 18:23:41.411340    203.141.241.23        192.168.1.4           TCP      872    54632 → 49181 [PSH, ACK] Seq=86956 Ack=4631 Win=507 Len=818

Frame 12465: 872 bytes on wire (6976 bits), 872 bytes captured (6976 bits) on interface \Device\NPF_{92F34A3C-A9F7-49AC-9AFB-65AD6643BC83}, id 0
Ethernet II, Src: NECPlatforms_d5:52:36 (00:0d:02:d5:52:36), Dst: VMware_e5:42:ec (00:0c:29:e5:42:ec)
Internet Protocol Version 4, Src: 203.141.241.23, Dst: 192.168.1.4
Transmission Control Protocol, Src Port: 54632, Dst Port: 49181, Seq: 86956, Ack: 4631, Len: 818
Data (818 bytes)
0000  09 00 00 00 00 00 00 ff ff 20 75 38 00 57 c0 43   ......... u8.W.C
0010  00 00 00 00 00 41 08 00 00 00 00 00 00 ff ff 20   .....A......... 
0020  75 38 00 e4 c0 43 00 00 00 00 00 41 08 00 00 00   u8...C.....A....
0030  00 00 00 ff ff b3 3b fd 00 4e 36 3e 00 00 00 00   ......;..N6>....
0040  00 c1 01 00 00 00 00 00 00 ff ff b3 3b fd 00 87   ............;...
0050  e6 4b 00 00 00 00 00 41 09 00 00 00 00 00 00 ff   .K.....A........
0060  ff 10 00 2a 12 00 00 63 1a 3c 18 3f 00 64 00 ff   ...*...c.<.?.d..
0070  ff 12 00 97 12 00 00 01 00 2c 00 0c 00 02 00 00   .........,......
0080  00 00 00 10 00 2a 12 00 00 63 1a 3c 18 3f 00 64   .....*...c.<.?.d
0090  00 ff ff 12 00 97 12 00 00 01 00 2c 00 0c 00 02   ...........,....
00a0  00 00 00 00 00 10 00 2a 12 00 00 63 1a 3c 18 3f   .......*...c.<.?
00b0  00 64 00 ff ff 12 00 97 12 00 00 01 00 2c 00 0c   .d...........,..
00c0  00 02 00 00 00 00 00 10 00 2a 12 00 00 63 1a 3c   .........*...c.<
00d0  18 3f 00 64 00 ff ff 10 00 2a 12 00 00 63 1a 3c   .?.d.....*...c.<
00e0  18 3f 00 64 00 ff ff 10 00 2a 12 00 00 63 1a 3c   .?.d.....*...c.<
00f0  18 3f 00 64 00 ff ff 10 00 2a 12 00 00 63 1a 3c   .?.d.....*...c.<
0100  18 3f 00 64 00 ff ff 10 00 2a 12 00 00 63 1a 3c   .?.d.....*...c.<
0110  18 3f 00 64 00 ff ff ab 00 07 14 ...
(more)
abu's avatar
3
abu
asked 2023-12-06 12:39:40 +0000, updated 2023-12-07 03:13:18 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

I solved it myself. It works fine,if use [] as follows

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11.*[\x24][\x02]"

or

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11.*[\x24]\x02"

following will not work

ip.src == 203.141.241.0/24 && data.data matches"\xcc\xcc.{6,6}\x37\x11.*\x24[\x02]"

This may be a bug in the regular expression.

abu's avatar
3
abu
answered 2023-12-06 18:17:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

From the WSUG 6.4.2. Comparing Values:

6.4.2.3. Possible Pitfalls Using Regular Expressions

Alternatively, a raw string syntax can be used. Such strings are prefixed with r or R and treat backslash as a literal character.

Using raw strings avoids most problem with the "matches" operator and double escape requirements.

pcre2syntax man page:

CHARACTER TYPES

. any character except newline; in dotall mode, any character whatsoever

OPTION SETTING

Changes of these options within a group are automatically cancelled at the end of the group.

...

(?s) single line (dotall)

Combining the information above into a filter:

data.data matches r"(?s)\xcc\xcc.{6,6}\x37\x11.*\x24\x02"

It's possible to do some regex testing in Edit -> Find Packet...:

image description

Chuckc's avatar
3k
Chuckc
answered 2023-12-06 19:01:07 +0000, updated 2023-12-06 19:20:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

it worked fine. thank you.

abu's avatar abu (2023-12-06 19:21:43 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer