Snort mailing list archives
Re: TCPDUMP Filter don't work :(
From: Phil Wood <cpw () lanl gov>
Date: Wed, 9 Oct 2002 12:51:00 -0600
Try "not \( udp[8] = 0x80 and udp[9] = 0x04 \)" On Wed, Oct 09, 2002 at 07:23:05PM +0000, counterping () uk2 net wrote:
Hiya, I have just started playing with filters within TCPDUMP and am a little confused .... I do NOT want to log RTP traffic on my network, but want to log everything else. RTP runs over UDP, The fist two bytes in the PAYLOAD are always the same (this is the RTP Header), and it has the hex value 80 and 04. I have used the follwing filter to look at the first 2 bytes AFTER the UDP packet (byte 8 and 9), UDP packets are always 8 Bytes. (so it's kinda fooling the app) "!udp[8] = 0x80 and udp[9] = 0x04" And it doesn't work .... BUT what's really weird..... if I remove the 'NOT' operator (!) it works just fine, capturing ALL the RTP traffic ONLY! Any help would be really appreciated, I must be doing something real stupid. Cheers MC ---------------------------------------------------------- This message was sent using http://uk2.net NEWS - CHEAPEST DEDICATED SERVERS IN THE WORLD - 25/month FREE UK DIAL 0845 609 1370 - username uk2: - password: uk2 UK's FREE Domains, FREE Dialup, FREE Webdesign, FREE email ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCPDUMP Filter don't work :( counterping (Oct 09)
- Re: TCPDUMP Filter don't work :( Phil Wood (Oct 09)
- Re: TCPDUMP Filter don't work :( Jim Cliver (Oct 09)
- Snort and port lists Sean Wheeler (Oct 09)
- Re: Snort and port lists Martin Roesch (Oct 11)
- <Possible follow-ups>
- RE: TCPDUMP Filter don't work :( Wirth, Jeff (Oct 09)