I have a Wireshark capture and I'm trying to create a display filter [Wireshark documentation] that finds XML documents which contain the term @@ V?
(at-at-space-V-questionmark). The documentation says Perl Regex are used:
The matches operator makes it possible to search for text in string fields and byte sequences using a regular expression, using Perl regular expression syntax.
And
Note: Wireshark needs to be built with libpcre in order to be able to use the matches operator.
I can't find out whether this condition applies, but in general I can use the matches
operator, so I'd assume that part is fulfilled.
IMHO the filter xml matches "@@ V\?"
should work, but it finds XML that does not fit the criterion, e.g. an XML like
<?xml version="1.0"?>
<dialog><sysdef name="TERMREC" value="@@ U1160613113912"/></dialog>
What's wrong with my filter or with Wireshark?
Using a filter without special characters (e.g. xml matches "@@ V0"
) works as expected. Other filters with special characters (e.g. xml matches "@@ V1\*"
) do not work as well.
@@ V\?
and it matches@@ U1160613113912
?xml matches "@@ V0"
for example works as expected, so I guess it has to do with the?
which I escaped as\?
.