Re: Wireshark Capture Filter Using Offset

[Guy Harris <guy () alum mit edu>]

On Jul 19, 2010, at 2:27 PM, George E Burns wrote:

> I have a question regarding "capture" filters.  Specifically, I need to write a low level filter that will capture 
> dynamic DNS update packets containing the opcode value of 0x05.  I know what the offset value is (0x2C and 0x2D) in 
> the payload, but apparently I am missing something when trying to understand the correct "tcp dump" syntax to use as 
> part of the capture filter in Wireshark.   
>
> Capture Filter:         udp[2c] == 28 and udp[2d] == 00 

Numbers in capture filters are, by default, *decimal*, not *hexadecimal*, so "udp[2c]" is illegal.  To look at the byte 
at an offset of 0x2c = 44 from the beginning of the UDP header, you need to look at udp[0x2c] or udp[44].

However, the opcode value doesn't take an entire byte, so you need to use a mask.

Also, the comparison-for-equality operator in capture filters is =, not ==.

The UDP header is 16 bytes, so you have to add 16 to the offset from the beginning of the DNS header.  The opcode is in 
the byte at an offset of 3 from the beginning of the DNS header, so that's an offset of 19 (which is *NOT* 0x2C!), so 
the filter would be

        udp port domain and (udp[19] & 0x78) = 0x50

if you want to capture all DNS-over-UDP packets with an opcode of 5.  (DNS-over-TCP is left as an exercise for the 
reader.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe