tcpdump mailing list archives
understanding filtering
From: Sam Carleton <sam () linux-info net>
Date: Mon, 16 Dec 2002 20:45:46 -0500
Folks, My first exposure to pcap was through the program snort. Being a C/C++ Windows programmer, I would like to have a bit more control over the info I would like to capture. Thus I am now looking into pcap as the engine for my packet capture program. The only thing I am scratching my head about is the filtering. I need to filter based on content, the first two bites of the packet, not the addr or even port. Can I create a rule for pcap that will filter based on content? The first two bits are 2Ah 02h. The other thing I need a bit of help with is the flags. I understand the basics, but I have never done any heavy dude IP programming. The snort rule I have contains "flags:AP+". From looking at the snort docs, that means ACK, PSH, and "ALL flag, match on all specified flags plus any others". Would not simply have a + get the same thing done? Sam - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- understanding filtering Sam Carleton (Dec 16)
- Re: understanding filtering Guy Harris (Dec 16)
- Re: understanding filtering Andrew Brown (Dec 17)
- Re: understanding filtering George Bakos (Dec 17)
- releases (was Re: understanding filtering ) Michael Richardson (Dec 17)
- Re: releases (was Re: understanding filtering ) Guy Harris (Dec 17)
- questions perf about tcpdump->libpcap->freebsd rmkml (Dec 17)
- Re: understanding filtering Guy Harris (Dec 16)