tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: match by tcp sequence number?

From: "Mike Mohr" <akihana () gmail com>
Date: Mon, 16 Jul 2007 10:52:38 -0700
Jan,

Thank you for your reply.  In the meantime I have also discovered a
great reference that you may or may not already know of:

http://packet.node.to/hacks/byte_offsets.txt

Of course you folks already know everything listed there, but for
people like myself it is quite handy.

Is there a way to match by a portion of the payload of a given packet,
or do I have to do that in my callback?

TIA

Mike

On 7/14/07, Jan C. Nordholz <jckn () gmx net> wrote:

Hi,

> I'm trying to write a filter for a small pcap application.  I need to
> match by the tcp sequence number, as I'm only interested in packets
> with sequence number 1.  I know I can match by octet, using e.g.
> tcp[13] == ???, but the sequence field is 4 octets (32-bit).  How can
> I match against this field?

tcp[4:4] should work. The manpage states that you can use expressions
like

>> proto [ expr : size ]

in your match string.


Regards,

Jan
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: