Wireshark mailing list archives
Re: tcpdump forum ?
From: "Aktuna, Ilker, Vodafone Turkey" <ilker.aktuna () vodafone com>
Date: Tue, 4 Sep 2012 09:07:49 +0000
Hi, That was quick :) Thank you very much. It works just as expected. Cheers, ilker -----Original Message----- From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Sake Blok Sent: Tuesday, September 04, 2012 8:43 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] tcpdump forum ? On 4 sep 2012, at 07:19, Aktuna, Ilker, Vodafone Turkey wrote:
How can I add a network address condition to the following filter ? “ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060)” I want to add a source/dest network condition like “net 10.10.0.0/16” , or “net 192.168.202.96/27”
OK, you want to look at the IP src and IP dst address in the inner IP header, they are at offset 12 and 16, so you will have to use "ip[20+12:4]" and "ip[20+16:4]". You want to calculate the (sub)network address, so you need to "and" with the subnetmask and then compare to your subnet: net 10.10.0.0/16: ip[20+12:4] & 0xffff0000 = 0x0a0a0000 or ip[20+16:4] & 0xffff0000 = 0x0a0a0000 net 192.168.202.96/27: ip[20+12:4] & 0xfffffffe0 = 0xc0a8ca60 or ip[20+16:4] & 0xfffffffe0 = 0xc0a8ca60 (255.255.0.0 = ff.ff.0.0 => 0xffff0000, 10.10.0.0 = 0a.0a.0.0 => 0x0a0a0000, 255.255.255.224 = ff.ff.ff.e0 => 0xffffffe0, 192.168.202.96 = c0.a8.ca.60 => 0xc0a8ca60) In total: ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060) and (ip[20+12:4] & 0xffff0000 = 0x0a0a0000 or ip[20+16:4] & 0xffff0000 = 0x0a0a0000) and ip proto 4 and ip[20+9]=17 and (ip[20+20+0:2]=5060 or ip[20+20+2:2]=5060) and (ip[20+12:4] & 0xfffffffe0 = 0xc0a8ca60 or ip[20+16:4] & 0xfffffffe0 = 0xc0a8ca60) Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe Yasal Uyarı : Bu elektronik posta işbu linki kullanarak ulaşabileceğiniz Koşul ve Şartlar dokumanına tabidir http://www.vodafone.com.tr/VodafoneHakkinda/eposta-hukuki-sartlar.php ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Sep 03)
- Re: tcpdump forum ? Sake Blok (Sep 03)
- Re: tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Sep 04)
- Re: tcpdump forum ? Sake Blok (Sep 03)