tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: matching packetw with tcpdump

From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Thu, 10 May 2007 18:30:47 +0000
On 2007-05-10 17:41, McDouglas wrote:

Is it possible to match packets based on the data content? Say, for
example match only packets with the first two bytes of the data being
(hex) 01 1B ?


If by "the data" you mean the TCP payload, yes.

tcp[((tcp[12:1] & 0xf0) >> 2):2] = 0x011b

The high nybble of tcp[12:1] is the number of 32-bit words in the TCP
header. So tcp[12:1] >> 2 (the & 0xf0 is perhaps a no-op in the example
expression, but is there for clarity) gives you the actual size of the
TCP header. The payload thus begins at tcp[tcp[12:1] >> 2].

You can do similar machinations for UDP or what have you.

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: