tcpdump mailing list archives

understanding filtering

From: Sam Carleton <sam () linux-info net>
Date: Mon, 16 Dec 2002 20:45:46 -0500

Folks,

My first exposure to pcap was through the program snort.  Being a C/C++
Windows programmer, I would like to have a bit more control over the info
I would like to capture.  Thus I am now looking into pcap as the engine
for my packet capture program.  

The only thing I am scratching my head about is the filtering.  I need to
filter based on content, the first two bites of the packet, not the addr
or even port.  Can I create a rule for pcap that will filter based on
content?

The first two bits are 2Ah 02h.

The other thing I need a bit of help with is the flags.  I understand the
basics, but I have never done any heavy dude IP programming.  The snort
rule I have contains "flags:AP+".  From looking at the snort docs, that 
means ACK, PSH, and "ALL flag, match on all specified flags plus any 
others".  Would not simply have a + get the same thing done?

Sam
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

understanding filtering Sam Carleton (Dec 16)
- Re: understanding filtering Guy Harris (Dec 16)
  - Re: understanding filtering Andrew Brown (Dec 17)
  - Re: understanding filtering George Bakos (Dec 17)
  - releases (was Re: understanding filtering ) Michael Richardson (Dec 17)
    - Re: releases (was Re: understanding filtering ) Guy Harris (Dec 17)
- questions perf about tcpdump->libpcap->freebsd rmkml (Dec 17)