tcpdump mailing list archives
Re: understanding filtering
From: Andrew Brown <atatat () atatdot net>
Date: Tue, 17 Dec 2002 08:39:18 -0500
so as long as you're testing bytes at *fixed offset* from the beginning of the link-layer (e.g., Ethernet), network layer (e.g., IP), or transport layer (e.g., TCP) header, the libpcap filter syntax can handle it. Note, however, that the length of the TCP header is not necessarily fixed length, as it might have options, so if you want to, for example, filter based on the content of the TCP payload *and* you want it to handle TCP packets with options, you'd have to construct the BPF filter code yourself.
i'm not sure here...are you affirming or denying here, that the following expression will select ssh traffic that contains data (eg, not pure acks): port 22 and tcp[(tcp[12]>>4)*4:4] > 0 regardless of the presence (or absence) of tcp options. -- |-----< "CODE WARRIOR" >-----| codewarrior () daemon org * "ah! i see you have the internet twofsonet () graffiti com (Andrew Brown) that goes *ping*!" werdna () squooshy com * "information is power -- share the wealth." - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- understanding filtering Sam Carleton (Dec 16)
- Re: understanding filtering Guy Harris (Dec 16)
- Re: understanding filtering Andrew Brown (Dec 17)
- Re: understanding filtering George Bakos (Dec 17)
- releases (was Re: understanding filtering ) Michael Richardson (Dec 17)
- Re: releases (was Re: understanding filtering ) Guy Harris (Dec 17)
- questions perf about tcpdump->libpcap->freebsd rmkml (Dec 17)
- Re: understanding filtering Guy Harris (Dec 16)