0

the string to split up looks like this:

192.168.1.254445.... 0000 0000 0010 = Flags: 0x002 (SYN)

There are three bits of information in this string that need to be pulled to different variables which are: 

 ip - 192.168.1.254
 port - 445
 flag - SYN

The ip is an ip address so it will need to capture the full range of addresses. Port can be from 1-4 digits long. and the flag can contain three, three letter characters e.g. SYN or SYN,ACK or SYN,ACK,URG etc (e.g. different combinations of packet flags.

I have tried using Split with ( : ' ' as the splits but whenever I put in [1] as the output it creates an 

 error - Index was outside the bounds of the array.

I then created this code out of looking at C# RegEx string extraction :

Regex pattern = new Regex(@"(<?ip>\d+)(<?port>\d+).... \d{4} \d{4} \d{4} \d{4} = Flags: \d{1}x\d{3} ((<?flag>\w+))");
Match match = pattern.Match(dst1);
string ip = (match.Groups["ip"].Value);
string port = (match.Groups["port"].Value);
string flag = (match.Groups["flag"].Value);
string dst = ip + port + flag;
listBox1.Items.Add(dst);

But this returns no values in the listBox1.

If the string is changed to:

 192.168.1.254.... 0000 0000 0010 = Flags: 0x002 (SYN)445

Would that make it easier?

Any suggestions would be great,

Thanks.

Improve this question
6
  • 1
    you can't because there is no way to know where finish the last number of the ip and where begins the port number. For the example you gave, the result can be: ip = 192.168.1.25, port: 4445. But perhaps have you more informations about this format. Commented Aug 29, 2014 at 20:41
  • If I manage to move the port to the end behind the (SYN) can it be done then? Commented Aug 29, 2014 at 20:41
  • Yes, but how will you make this move, it is the same problem. Commented Aug 29, 2014 at 20:48
  • I've changed the order in which the string was from the data so it can read with the port at the end. Commented Aug 29, 2014 at 20:54
  • 5
    Why you don't use simply a semi-colon as separator like this: 192.168.1.254:445 (the most common format). And why do you need a regex to extract informations since you seem to have an access to these informations? Commented Aug 29, 2014 at 20:57

1 Answer 1

Reset to default
0

For this input:

192.168.1.254... 0000 0000 0010 = Flags: 0x002 (SYN)445

...use this:

(?<ip>(?:\d{1,3}\.){3}\d{1,3}).*Flags:\s\d{1}x\d{3}\s\((?<flag>\w+)\)(?<port>\d+)

...for an IP address with a port in this format:

192.168.1.254:445... 0000 0000 0010 = Flags: 0x002 (SYN)

...use this:

(?<ip>(?:\d{1,3}\.){3}\d{1,3}):(?<port>\d+).*Flags:\s\d{1}x\d{3}\s\((?<flag>\w+)\)
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Just tested the first regex out with the port number at the end. It works for all data that contains one flag e.g. (SYN) but there are some that contain (SYN,ACK) or (RST,ACK). is there anyway to adapt this expression to include these?
You should be able to do it with a simple character class (I.e. change \w+ to [\w,]+). I tweaked the expression (pending admin approval), but haven't tested it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.