Re: Wireshark Capture Filter Using Offset

["George E Burns" <geburns () ashland com>]

Hello Guy,

Thanks for the re-directs concerning the values and offsets.  Forgive me 
for asking, but where can I find the proper syntax to use when creating 
complex "capture filters"? 

You mentioned the UDP header was 16 bytes, but I thought it was only 8 
bytes.  I have tried the recommended filter: udp port domain and (udp[19] 
& 0x78) = 0x28 , but that does not seem to trigger the capture.  I ran a 
comparison trace without the filter and verified the target packets were 
being received by the analyzer.  Any ideas? 

Thanks,

George



From:   Guy Harris <guy () alum mit edu>
To:     Community support list for Wireshark 
<wireshark-users () wireshark org>
Date:   07/20/2010 02:55 AM
Subject:        Re: [Wireshark-users] Wireshark Capture Filter Using 
Offset
Sent by:        wireshark-users-bounces () wireshark org




On Jul 19, 2010, at 11:37 PM, Guy Harris wrote:

> The UDP header is 16 bytes, so you have to add 16 to the offset from the 
beginning of the DNS header.  The opcode is in the byte at an offset of 3 
from the beginning of the DNS header, so that's an offset of 19 (which is 
*NOT* 0x2C!), so the filter would be
>                udp port domain and (udp[19] & 0x78) = 0x50

Sorry, that's

                 udp port domain and (udp[19] & 0x78) = 0x28

Caring about the query vs. response flag is left as an exercise for the 
reader.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             
mailto:wireshark-users-request () wireshark org?subject=unsubscribe


--------------------------------------------------
This e-mail contains information which may be privileged, confidential, proprietary, trade secret and/or otherwise 
legally protected. If you are not the intended recipient, please do not distribute this e-mail. Instead, please delete 
this e-mail from your system, and notify us that you received it in error. No waiver of any applicable privileges or 
legal protections is intended (and nothing herein shall constitute such a waiver), and all rights are reserved. 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe