tcpdump mailing list archives

Re: tcpdump filter for HTTP GET

From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Mon, 08 Nov 2004 14:23:18 -0500

Robert Lowe wrote:

Jefferson Ogata wrote:

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420


Beautiful!  But wouldn't the bit-shift be for 4 bits?  Thanks!!!!

It would, but then you'd have to multiply by 4 since the offset is inmultiples of 4. So >> 2 does the shift and multiply in one operation.


--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

tcpdump filter for HTTP GET Robert Lowe (Nov 08)
- Re: tcpdump filter for HTTP GET Jefferson Ogata (Nov 08)
  - Re: tcpdump filter for HTTP GET Robert Lowe (Nov 08)
    - Re: tcpdump filter for HTTP GET Guy Harris (Nov 08)
    - Re: tcpdump filter for HTTP GET Jefferson Ogata (Nov 08)
    - Re: tcpdump filter for HTTP GET Robert Lowe (Nov 08)