Re: Wireshark Capture Filter Using Offset

[Sake Blok <sake () euronet nl>]

On 20 jul 2010, at 16:55, George E Burns wrote:

> You mentioned the UDP header was 16 bytes, but I thought it was only 8 bytes.  I have tried the recommended filter: 
> udp port domain and (udp[19] & 0x78) = 0x28 , but that does not seem to trigger the capture.  I ran a comparison 
> trace without the filter and verified the target packets were being received by the analyzer.  Any ideas? 

Indeed the UDP header is 8 bytes long, so that would make the filter:

udp port domain and (udp[11] & 0x78) = 0x28 

More information about capture filters can be found at the links Joke has sent earlier in this thread:

http://wiki.wireshark.org/CaptureFilters
http://procana.homeunix.com/#BON

And of course the tcpdump manual page is a great source.

Hope this helps,
Cheers,


Sake

PS  If you really want to dig into it, tcpdump -d <filter> will show you what the compiled BPF code will be, which you 
can use to verify the filter (if you understand the produced "machine-code").
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe