tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question regarding pcap

From: Guy Harris <gharris () sonic net>
Date: Mon, 23 Dec 2002 00:07:09 -0800
On Mon, Dec 23, 2002 at 01:12:36AM -0500, subramoni padmanabhan wrote:

   I have a question. I have to capture all UDP packets belonging to a 
particular group. The group iD is a 64-bit quantity which starts at the 
first byte of the payload(right after the udp header). How do I write a pcap 
filter expression to capture all such packets? As far as I know, we can only 
compare one byte.


No.  You can compare 1, 2, or 4 bytes in a single primitive expression:

              expr relop expr
                     True if the relation holds, where  relop  is
                     one  of  >, <, >=, <=, =, !=, and expr is an
                     arithmetic expression  composed  of  integer
                     constants  (expressed in standard C syntax),
                     the normal binary operators [+, -, *, /,  &,
                     |],  a  length  operator, and special packet
                     data accessors.  To access data  inside  the
                     packet, use the following syntax:
                          proto [ expr : size ]
                     Proto  is one of ether, fddi, ip, arp, rarp,
                     tcp, udp, or icmp, and indicates the  proto-
                     col layer for the index operation.  The byte
                     offset, relative to the  indicated  protocol
                     layer,  is  given by expr.  Size is optional
                     and indicates the number  of  bytes  in  the
                     field  of  interest;  it  can be either one,
                     two, or four,  and  defaults  to  one.   The
                     length  operator,  indicated  by the keyword
                     len, gives the length of the packet.

                     For example, `ether[0] & 1 != 0' catches all
                     multicast  traffic.  The expression `ip[0] &
                     0xf  !=  5'  catches  all  IP  packets  with
                     options.  The expression `ip[6:2] & 0x1fff =
                     0' catches only unfragmented  datagrams  and
                     frag  zero  of  fragmented  datagrams.  This
                     check is implicitly applied to the  tcp  and
                     udp  index operations.  For instance, tcp[0]
                     always means  the  first  byte  of  the  TCP
                     header, and never means the first byte of an
                     intervening fragment.

and you can compare 8 bytes by combining two expressions that check the
first 4 and the second 4 bytes.

As the UDP header has a fixed length of 8 bytes, you can compare the
first 4 bytes of the UDP payload against a value with "udp[8:4]" and
comapre the second 4 bytes of the UDP payload against a value with
"udp[12:4]".  Note that 2-byte or 4-byte quantities are fetched as
*big-endian* values, so if the group ID is little-endian, you will have
to byte-swap the 4-byte values before putting them into a libpcap
expression.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: