Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: using offset to check any byte in the whole ether-frame

From: Guy Harris <guy () alum mit edu>
Date: Thu, 21 Nov 2013 11:07:58 -0800

On Nov 21, 2013, at 7:02 AM, Julio Talaverano <delaflota () yahoo com> wrote:


as far as I saw up to now offsets can only be used on specific fields like ip, tcp, eth.src and such.


Offsets can be used in:

        "fields" that are actually protocols;

        fields that are byte arrays;

        fields that are MAC addresses;

and there might be some other fields.  So, for example, they can be used on dns.


I'd like to do something like:
etherframe[1410:2] == 20:f1 for example.

What I wanted to check for is the hostname a dns request asked for


Then, at least with Wireshark 1.10.0 or later (and possibly earlier), just check dns.qry.name by comparing it against a 
string corresponding to the name.


and the related icmp port unreachable error messages which also include the hostname in their load behind the icmp 
header.


Try doing the same there.


Or even the ip identification field in both, the ip packet and in the load of the icmp error message, as above.


Try comparing ip.id against the value you're looking for.


This way I'd like to know how long our proxies keep asking the same name server
for the resolution of the same hostname after reception of the port unreachable error message. 

Any hint?


Yes.

Instead of trying to look at raw bytes in the packet, use named fields corresponding to what you're actually interested 
in.

If no named field corresponds to what you're looking for, then

        1) file an enhancement request at http://bugs.wireshark.org, as, ideally, all fields in packets should be named 
if possible;

        2) use offsets within the protocol you're looking at (assuming the field in question is at a specific offset; 
that's why named fields are superior to looking at raw bytes - they handle fields *not* at specific offsets within the 
protocol).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: