tcpdump mailing list archives
Re: Capture filter help
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Thu, 17 Jan 2008 18:37:17 +0000
On 2008-01-17 13:20, Moheed Moheed Ahmad wrote:
The problem I am facing is the same interface sometimes gives the normal packet and sometimes with 12 bytes extra. So when I apply the normal capture filter those with normal packets get filtered out.
The length of the TCP header + options is encoded in the header in the upper nybble of octet 12; this nybble represents the number of longwords (4 octets) in the header. So if you want to match the beginning of the TCP payload, e.g. against 0xdeadbeef, you can do:
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0xdeadbeef To get the next four octets, use: tcp[((tcp[12:1] & 0xf0) >> 2):4 + 4] = 0xdeadbeef -- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> "Never try to retrieve anything from a bear."--National Park Service - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Capture filter help Moheed Moheed Ahmad (Jan 17)
- Re: Capture filter help Jefferson Ogata (Jan 17)
- Re: Capture filter help Jefferson Ogata (Jan 17)
- Re: Capture filter help Jefferson Ogata (Jan 17)