tcpdump mailing list archives

Re: Capture filter help

From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Thu, 17 Jan 2008 18:37:17 +0000

On 2008-01-17 13:20, Moheed Moheed Ahmad wrote:

The problem I am facing is the same interface sometimes gives the normal
packet and sometimes with 12 bytes extra.
So when I apply the normal capture filter those with normal packets get
filtered out.

The length of the TCP header + options is encoded in the header in theupper nybble of octet 12; this nybble represents the number of longwords(4 octets) in the header. So if you want to match the beginning of theTCP payload, e.g. against 0xdeadbeef, you can do:


tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0xdeadbeef

To get the next four octets, use:

tcp[((tcp[12:1] & 0xf0) >> 2):4 + 4] = 0xdeadbeef

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Capture filter help Moheed Moheed Ahmad (Jan 17)
- Re: Capture filter help Jefferson Ogata (Jan 17)
  - Re: Capture filter help Jefferson Ogata (Jan 17)