Wireshark · Wireshark-users: [Wireshark-users] Support for using back reference with RegExp on Display Filter

Wireshark-users: [Wireshark-users] Support for using back reference with RegExp on Display Filter

Date: Sun, 15 Feb 2009 12:30:52 +0200

Hi

There's a certain scenario that we want to know in our company.
It's when a user defines a week password.
Pass is sent in plain text and the following is just an example:
-----

Http header
get /user_registration.php?user=

John&pass=45John23

------

if i set the display filter to - data.data contains
"user=(.{1,7})&pass=.{0,5}\1.{0,5}="
(which basically searches for the username in the password field)
the example won't show up.
looking for - data.data contains "user=(.{1,7})&pass=.{0,5}John.{0,5}="
will show the example so I'm worried that it's either:
1. syntax - using "\1" here is wrong
2. lack of support for back reference on the PCBE engine.

I'm using wireshark 1.0.6 on win32. tried also 1.1.2 with no success

Thx,
Ivan

Prev by Date: Re: [Wireshark-users] Help required for changing pcap files
Next by Date: [Wireshark-users] Scan to email Issue
Previous by thread: [Wireshark-users] Support for using back reference with RegExp on Display Filter
Next by thread: [Wireshark-users] Scan to email Issue
Index(es):
- Date
- Thread