On Wed, May 02, 2007 at 04:25:31PM -0800, Irakli Natshvlishvili wrote: > It does, thanks. > > But I still have a problem applying the correct filter. For example, here is > content of UDP packet: > > --------------------------------------------------------------------------------- > SIP/2.0 200 OK > To: <sip:[EMAIL PROTECTED]>;tag=51d14022 > From: 9094354499<sip:[EMAIL PROTECTED]>;tag=4c3d535f > Via: SIP/2.0/UDP 10.10.10.10:5060;branch=z9hG4bKD22343432336665633a787.0 > Via: SIP/2.0/UDP 10.10.10.100 > ;branch=z9hG4bK-4fe05e85f80de1da371f137b46b23e25;psrrposn=1 > Via: SIP/2.0/UDP 10.10.10.50:5065 > ;branch=z9hG4bK-d87543-9b1a2741582f6b580701-1-cHA4NmI1ZmE3MDEzOWRmZjFhMzViZg..-d87543- > Call-ID: 22e38f2bcdd854c64a1178aa5d6358b2 > CSeq: 342974572 INVITE > Contact: < > sip:[EMAIL PROTECTED] > > > User-Agent: Tele2100 > --------------------------------------------------------------------------------- > > Look at rows #4-7. They start with "Via:" string > I want to find all packets where "Via:" string occurs more then once, above > packet is an example. > > But when I use filter > > udp matches "Via.*Via" > > It does not display anything. > > What I'm doing wrong?
Regular expressions are line based, so the "." (match any character) does not match a CR/LF. You have to match against those yourself for it to work. Look at the following http-header: Host: www.google.nl User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) If I use the filter 'http matches "Host: .*\015\012User-Agent: .*"', it will filter out all the http-packets were the User-Agent header follows the Host header. I use \015\012 (the octal representation of a CR/LF). You could also use 'http matches "Host: .*\\r\\nUser-Agent: .*"', can anyone explain why I need to escape the "\" with the \r and \n, but I don't have to escape the \ in the octal representation? So, back to your filter, if the Via: headers are put after one another (as in your example), you could use 'udp matches "Via: .*\015\012Via: .*"'. Hope this helps, Cheers, Sake _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users