Andreas Hansen wrote:
> (?#start: flag).*:\s([PSF])(?#end:flag) (?#nothing more interesting on 
> this line)
> .*$(?#end)
> 
> (?#start: look for index pattern)
> \s^E.{5}@.{9}Q.{30,42}
> (?#end: index)

You are looking for an end-of-line ($), followed by whitespace (\s), 
followed by a start of line (^). This doesn't look right to me. It might 
work sometimes, depending on whether your end-of-line is \n or \r\n

> (?#start: get the username which is surrounded by multiple dots, minimum 
> of 2 in the begining and 0+ after)
> .*\.{2,}([\w](?:\w+.){1,13}\w)\.*

That one makes little sense.

  [\w]  is the same as \w

  (?:\w+.)  means one or more word characters followed by any character;
            this is then releated between 1 and 13 times
  \w        must be followed by a word character

  \.*       this is superfluous, since it matches 0 or more dots,
            it would therefore match regardless of what is next

> Each of those expressions works individually and together(in rubular)

Don't test them in rubular. Test them in irb or in ruby.

> another thing:
> some usernames are really hard to extract from the packets. an example:
> G-eX.Dowden(http://rubular.com/regexes/8401)
> any suggestions?

You're using the wrong way to view the packets in the first place.

Using a ruby interface to libpcap would be the safest way - I think I 
saw one, but I've never used it.

Otherwise, look at tcpdump -X for a proper hex packet dump.

Brian.
-- 
Posted via http://www.ruby-forum.com/.