Wireshark mailing list archives

Re: Display Filter frame - how do that work?

From: Marco Simone Zuppone <msz () msz eu>
Date: Wed, 15 Dec 2010 14:35:20 +0000

Hello,


there is not a fix list. It depends what the frame contains.
So frame[282:3]  means only the take 3 bytes starting from the 282th byte...
 Regards,
Marco

On Wed, Dec 15, 2010 at 2:04 PM, Jürgen Dietl
<juergen.dietl () googlemail com>wrote:

Hello,

today I made a trace and I wanted to see all the DHCPNAK.

For this I found a filter:

frame[282:3] == 35:01:06

It works perfect. But my question is how is this filter defined.

For example frame[282:3] == 35:01:02 would be DHCPOFFER.

So {282:3] must be then DHCP. But how is that defined? Is that an offset?
some bit? just a fix list?

and what is 35:01:06.


Any help would be greatly appreciated.

thanx a lot and have a nice day,

cheers,
Juergen


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Display Filter frame - how do that work? Jürgen Dietl (Dec 15)
- Re: Display Filter frame - how do that work? Marco Simone Zuppone (Dec 15)
- Re: Display Filter frame - how do that work? Jaap Keuter (Dec 15)