tcpdump mailing list archives
Re: tcpdump filter for HTTP GET
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Mon, 08 Nov 2004 14:23:18 -0500
Robert Lowe wrote:
Jefferson Ogata wrote:tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420Beautiful! But wouldn't the bit-shift be for 4 bits? Thanks!!!!
It would, but then you'd have to multiply by 4 since the offset is in multiples of 4. So >> 2 does the shift and multiply in one operation.
-- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump filter for HTTP GET Robert Lowe (Nov 08)
- Re: tcpdump filter for HTTP GET Jefferson Ogata (Nov 08)
- Re: tcpdump filter for HTTP GET Robert Lowe (Nov 08)
- Re: tcpdump filter for HTTP GET Guy Harris (Nov 08)
- Re: tcpdump filter for HTTP GET Jefferson Ogata (Nov 08)
- Re: tcpdump filter for HTTP GET Robert Lowe (Nov 08)
- Re: tcpdump filter for HTTP GET Robert Lowe (Nov 08)
- Re: tcpdump filter for HTTP GET Jefferson Ogata (Nov 08)