Re: Sniffing ranges of ips

[Robert Lowe <Robert.H.Lowe () lawrence edu>]

MMatos wrote:

> > tcpdump [options] '( ip[12:4] >= 0xc0a8020f ) and ( ip[12:4] <= 
> > 0xc0a80228 )'
>
> First of all thanks for the precious help you give me !
>
> I' ve been analysing the scripts and they expand the ranges to all ips 
> and then work around with the netmasks ..
>
> Indead i like the 2nd way you're sugesting but i've a little doubt:
>
> Lets pick ip[12:4]
> The ip is self explanatory; the 4 represents the 4th word of the ip 
> datagram wich corresponds to the source adress  (right?) but i'm unable 
> to find out  the purpose of the number 12 .
> Can you enlight me about that?

The 12 is the starting index (13th byte), and the 4 is the range, i.e.
IPV4 addresses are four bytes.  BTW, this is in the tcpdump manpage.

-Robert

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.