It does, thanks. But I still have a problem applying the correct filter. For example, here is content of UDP packet:
--------------------------------------------------------------------------------- SIP/2.0 200 OK To: <sip:[EMAIL PROTECTED]>;tag=51d14022 From: 9094354499<sip:[EMAIL PROTECTED]>;tag=4c3d535f Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bKD22343432336665633a787.0 Via: SIP/2.0/UDP 10.10.10.100 ;branch=z9hG4bK-4fe05e85f80de1da371f137b46b23e25;psrrposn=1 Via: SIP/2.0/UDP 10.10.10.50:5065 ;branch=z9hG4bK-d87543-9b1a2741582f6b580701-1-cHA4NmI1ZmE3MDEzOWRmZjFhMzViZg..-d87543- Call-ID: 22e38f2bcdd854c64a1178aa5d6358b2 CSeq: 342974572 INVITE Contact: < sip:[EMAIL PROTECTED]
User-Agent: Tele2100 --------------------------------------------------------------------------------- Look at rows #4-7. They start with "Via:" string I want to find all packets where "Via:" string occurs more then once, above packet is an example. But when I use filter udp matches "Via.*Via" It does not display anything. What I'm doing wrong? Thanks, --i.n. On 5/2/07, Gerald Combs <[EMAIL PROTECTED]> wrote:
The Windows version ships with PCRE. Did you try typing in the filter, and does it turn green? Irakli Natshvlishvili wrote: > Yaah, I dug into docs and found that regex could be used in display filters. > > Unfortunately, windows installer for Wireshark does not have PCRE > support. Am I right? > > Do I understand correctly, that I need re-compile wireshark from the > source under windows to have regex support? > > If yes, than, well, sorry, I can't do it... > > --i.n. > > On 5/2/07, *Gerald Combs* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Irakli Natshvlishvili wrote: > > Question: > > > > Using display filters is there a way to find if a particular string > > occurs more then once in a packet? > > > > For example, if there is an UDP packet which has payload "this is one > > 1234 two one test", then filtering via UDP contains "one" will > display > > this UDP packet. > > > > But I want to filter ALL packets, where this particular string occurs > > more then once. > > > > Any way do do it? > > If you have PCRE support compiled in, you can use something like > > udp matches "one.*one" > > That translates to "the string 'one' followed by zero or more characters > followed by the string 'one'." The "matches" operator supports > Perl-compatible regular expressions, which are described at > http://perldoc.perl.org/perlre.html . > > You can check for PCRE support via "Help->About Wireshark" or by using > the "-v" command-line flag. You can also type in the filter above and > see if the display filter entry turns green. > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@wireshark.org <mailto:Wireshark-users@wireshark.org> > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > > -- > I.N . > > > ------------------------------------------------------------------------ > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
-- I.N.
_______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
