Wireshark · Ethereal-users: Re: [Ethereal-users] Problems with Perl regular expression (PCRE) and tethereal

[Guy Harris <gharris@xxxxxxxxx>]

Nicholas George wrote:
> I am having a problem searching a pcap dump file using the perl
> regular expression syntax for tethereal. I've found the documentation
> to be sparse. :(
>
> I would like to do something like:
> tethereal -r in.dmp frame matches 'GET /file\.htm HTTP/1\.1'
>
> However, it won't work unless I do:
> tethereal -r in.dmp frame matches '"GET /file\\.htm HTTP/1\\.1"'
> I don't understand why, aren't these two lines the same? (I'm using
> the bash shell

No, they're not:

	$ echo -r in.dmp frame matches 'GET /file\.htm HTTP/1\.1'
	-r in.dmp frame matches GET /file\.htm HTTP/1\.1
	$ echo -r in.dmp frame matches '"GET /file\\.htm HTTP/1\\.1"'
	-r in.dmp frame matches "GET /file\\.htm HTTP/1\\.1"

Note the double-quotes in the second line.

> The error message I get is:
> tethereal: "/" was unexpected in this context

The first command would pass to Tethereal the arguments

	-r
	in.dmp
	frame
	matches
	GET
	/file\.htm
	HTTP/1\.1

After "-r in.dmp", the remaining tokens get glued together into a single 
string, and that string is parsed; the parsing cuts it back up into 
tokens, and

	frame matches GET /file\.htm HTTP/1\.1

isn't valid, as GET is the right-hand argument to the "matches" 
operator, and the /file\.htm and HTTP/1\.1 are just extra junk.

The second command would pass to Tethereal the arguments

	-r
	in.dmp
	frame
	matches
	"GET /file\\.htm HTTP/1\\.1"

and the resulting filter string would be

	frame matches "GET /file\\.htm HTTP/1\\.1"

which would be cut into *three* tokens: "frame", "matches", and "GET 
/file\\.htm HTTP/1\\.1".  The right-hand argument to the "matches" 
operator is the entire string "GET /file\\.htm HTTP/1\\.1".

> It also doesn't work if I try:
> tethereal -r in.dmp frame matches "\"GET /file\\.htm HTTP/1\\.1\""
> although this time I get no error message.

	$ echo -r in.dmp frame matches "\"GET /file\\.htm HTTP/1\\.1\""
	-r in.dmp frame matches "GET /file\.htm HTTP/1\.1"

> It DOES work if I try.
> tethereal -r in.dmp -R 'frame matches "GET /file\\.htm HTTP/1\\.1"'

	$ echo -r in.dmp -R 'frame matches "GET /file\\.htm HTTP/1\\.1"'
	-r in.dmp -R frame matches "GET /file\\.htm HTTP/1\\.1"

This appears to be a \ vs. \\ issue, although I'm not sure why \\ works 
and \ doesn't.

> My questions are:
> What is the point of the -R?

Perhaps nothing - what does

	tethereal -r in.dmp 'frame matches "GET /file\\.htm HTTP/1\\.1"'

do?