Re: Display Filter Regex

[Tony Trinh <tony19 () gmail com>]

On Sat, Nov 3, 2012 at 9:14 AM, NeonFlash <psykosonik_frequenz () yahoo com> wrote:
> ________________________________
> From: NeonFlash <psykosonik_frequenz () yahoo com>
> To: "wireshark-users () wireshark org" <wireshark-users () wireshark org>
> Sent: Tuesday, October 30, 2012 8:51 AM
> Subject: Display Filter Regex
>
> Hi,
>
> I want to use a display filter for all the HTTP GET Requests which are of
> the form as shown below:
>
> index.php?something=
>
> As far as I know, the expression, "http contains" does not support perl
> compatible regular expressions.
>
> I am using this display filter at the moment:
>
> http.request.method == "GET" && http contains "php?"
>
> however, it also displays some GET requests to paths as shown below:
>
> /images/nature/forest.jpg
>
> Even though the GET Request to the above path does not contain the string,
> php?
>
> My guess is that it displays those frames as well because they belong to the
> same tcp stream as the one which involves the GET request to php files?
>
> http matches does support PCRE but then, I cannot use it with the above
> form.
>
> It would be great to make this display filter more exact.
>
> Thanks.

You should check only the URI:

http.request.method == "GET" && http.request.full_uri matches "index\.php\?.*="
http.request.method == "GET" && http.request.full_uri contains "index.php?"
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe