I'm trying to write a simple flex parser for netwitness 9.8 which will find the string "client:" in HTTP traffic and then return the IP address that follows that string.
I've run in to a few questions regarding this parser, would be great if anyone can contribute from their experience
1. I've seen examples of retrieving a set number of characters following a specific string but an IP address can be between 7 and 15 characters.
2. There is no point in applying my parser to all the traffic in the network, i need it to run only on very specific traffic (one subnet, port 80), is there a way to specify in my parser perhaps?
3. This string repeats itself many times in every session, identical value per session, would the parser stop once it found the first value or continue to run through the whole session?