Wireshark-users: [Wireshark-users] Support for using back reference with RegExp on Display Filter
Hi
There's a certain scenario that we want to know in our company.
It's when a user defines a week password.
Pass is sent in plain text and the following is just an example:
-----
Http header
get /user_registration.php?user=John&pass=45John23
------
if i set the display filter to - data.data contains
"user=(.{1,7})&pass=.{0,5}\1.{0,5}="
(which basically searches for the username in the password field)
the example won't show up.
looking for - data.data contains "user=(.{1,7})&pass=.{0,5}John.{0,5}="
will show the example so i'm worried that it's either:
1. syntax - using "\1" here is wrong
2. lack of support for back reference on the PCBE engine.
i'm using wireshark 1.0.6 on win32. tried also 1.1.2 with no success
Thx,
Ivan