Snort mailing list archives

RE: TCPDUMP Filter don't work :(

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Wed, 9 Oct 2002 15:05:13 -0400


From: counterping () uk2 net [mailto:counterping () uk2 net]


Hiya,

I have just started playing with filters within TCPDUMP and 
am a little 
confused ....

I do NOT want to log RTP traffic on my network, but want to 
log everything else.
RTP runs over UDP, The fist two bytes in the PAYLOAD are 
always the same (this 
is the RTP Header), and it has the hex value 80 and 04.

I have used the follwing filter to look at the first 2 bytes 
AFTER the UDP 
packet (byte 8 and 9), UDP packets are always 8 Bytes. (so 
it's kinda fooling 
the app)

"!udp[8] = 0x80 and udp[9] = 0x04"


This would read packets that DO NOT have udp[8] = 0x80 and packets that DO
have udp[9] = 0x04.  If I understand what you are looking for, I think what
you want is:

!udp[8] = 0x08 and !udp[9] = 0x04   
or
not (udp[8] = 0x80 and udp[9] = 0x04)


And it doesn't work .... BUT what's really weird.....
if I remove the 'NOT' operator (!) it works just fine, 
capturing ALL the RTP 
traffic ONLY!


- Jeff


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

TCPDUMP Filter don't work :( counterping (Oct 09)
- Re: TCPDUMP Filter don't work :( Phil Wood (Oct 09)
- Re: TCPDUMP Filter don't work :( Jim Cliver (Oct 09)
- Snort and port lists Sean Wheeler (Oct 09)
  - Re: Snort and port lists Martin Roesch (Oct 11)
- <Possible follow-ups>
- RE: TCPDUMP Filter don't work :( Wirth, Jeff (Oct 09)