Re: tcpdump forum ?

[Sake Blok <sake () euronet nl>]

On 4 sep 2012, at 07:19, Aktuna, Ilker, Vodafone Turkey wrote:

> How can I add a network address condition to the following filter ?
>  
> “ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060)”
>  
> I want to add a source/dest network condition like “net 10.10.0.0/16” , or “net 192.168.202.96/27”

OK, you want to look at the IP src and IP dst address in the inner IP header, they are at offset 12 and 16, so you will 
have to use "ip[20+12:4]" and "ip[20+16:4]". You want to calculate the (sub)network address, so you need to "and" with 
the subnetmask and then compare to your subnet:

net 10.10.0.0/16:  ip[20+12:4] & 0xffff0000 = 0x0a0a0000 or ip[20+16:4] & 0xffff0000 = 0x0a0a0000
net 192.168.202.96/27:  ip[20+12:4] & 0xfffffffe0 = 0xc0a8ca60 or ip[20+16:4] & 0xfffffffe0 = 0xc0a8ca60

(255.255.0.0 = ff.ff.0.0 => 0xffff0000, 10.10.0.0 = 0a.0a.0.0 => 0x0a0a0000, 255.255.255.224 = ff.ff.ff.e0 => 
0xffffffe0, 192.168.202.96 = c0.a8.ca.60 => 0xc0a8ca60)

In total:


ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060) and (ip[20+12:4] & 0xffff0000 = 0x0a0a0000 or 
ip[20+16:4] & 0xffff0000 = 0x0a0a0000)

and

ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060) and (ip[20+12:4] & 0xfffffffe0 = 0xc0a8ca60 
or ip[20+16:4] & 0xfffffffe0 = 0xc0a8ca60)

Cheers,
Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe