I updated the user-agent string indicator page to include Wireshark display filters using regex to find specific user-agents. I am by no means a regex pro, so if anyone finds any discrepancies or can figure out a cleaner way to search with regex, then please let me know.
A few things I noticed when using regex in Wireshark display filters. I was not able to figure out how to escape an open and close parenthesis (if I did escape those characters normally, it would not find the user-agent), so I had to do a logical AND plus another display filter in order to locate the right value (please see the Dyre user-agent string). Also, I had to be more explicit with the query with a shorted user-agent string value; meaning I had to add a Start of Line and End of Line character to the query.
I hope you all find this information useful, feel free to ask questions or leave comments. Thank you.
No comments:
Post a Comment
Please feel free to leave a comment that is relevant to the post.