Wireshark mailing list archives
Re: Wireshark Capture Filter Using Offset
From: Guy Harris <guy () alum mit edu>
Date: Tue, 20 Jul 2010 10:43:14 -0700
On Jul 20, 2010, at 8:18 AM, Sake Blok wrote:
And of course the tcpdump manual page is a great source.
...unless you have tcpdump 4.0 or later, in which case the manual page assumes you also have libpcap 1.0 or later, and refers you to the libpcap pcap-filter man page, to which the description of the capture filter language has been moved (as the filter language is implemented in libpcap/WinPcap, and is thus used by more programs than just tcpdump). For Windows users, see http://www.winpcap.org/docs/docs_412/html/group__language.html
PS If you really want to dig into it, tcpdump -d <filter> will show you what the compiled BPF code will be, which you can use to verify the filter (if you understand the produced "machine-code").
And if you don't understand it but want to, start at http://www.tcpdump.org/papers/bpf-usenix93.pdf which briefly describes the pseudo-machine in "3.3 The BPF Pseudo-Machine". ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark Capture Filter Using Offset George E Burns (Jul 19)
- Re: Wireshark Capture Filter Using Offset j.snelders (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset George E Burns (Jul 20)
- Re: Wireshark Capture Filter Using Offset Sake Blok (Jul 20)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 20)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset George E Burns (Jul 20)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 20)
- Re: Wireshark Capture Filter Using Offset j.snelders (Jul 19)