tcpdump mailing list archives
Re: question regarding pcap
From: Guy Harris <gharris () sonic net>
Date: Mon, 23 Dec 2002 00:07:09 -0800
On Mon, Dec 23, 2002 at 01:12:36AM -0500, subramoni padmanabhan wrote:
I have a question. I have to capture all UDP packets belonging to a particular group. The group iD is a 64-bit quantity which starts at the first byte of the payload(right after the udp header). How do I write a pcap filter expression to capture all such packets? As far as I know, we can only compare one byte.
No. You can compare 1, 2, or 4 bytes in a single primitive expression: expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accessors. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and indicates the proto- col layer for the index operation. The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword len, gives the length of the packet. For example, `ether[0] & 1 != 0' catches all multicast traffic. The expression `ip[0] & 0xf != 5' catches all IP packets with options. The expression `ip[6:2] & 0x1fff = 0' catches only unfragmented datagrams and frag zero of fragmented datagrams. This check is implicitly applied to the tcp and udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment. and you can compare 8 bytes by combining two expressions that check the first 4 and the second 4 bytes. As the UDP header has a fixed length of 8 bytes, you can compare the first 4 bytes of the UDP payload against a value with "udp[8:4]" and comapre the second 4 bytes of the UDP payload against a value with "udp[12:4]". Note that 2-byte or 4-byte quantities are fetched as *big-endian* values, so if the group ID is little-endian, you will have to byte-swap the 4-byte values before putting them into a libpcap expression. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- question regarding pcap subramoni padmanabhan (Dec 22)
- Re: question regarding pcap Guy Harris (Dec 23)