Wireshark mailing list archives

Re: Wireshark Capture Filter Using Offset

From: "George E Burns" <geburns () ashland com>
Date: Tue, 20 Jul 2010 11:29:00 -0400

Hello Guy,

I made a few changes to the filter and this one is working:  udp port 53 
and (udp[10] & 0xff) = 0x28

Thanks for your input!



George,



From:   Guy Harris <guy () alum mit edu>
To:     Community support list for Wireshark 
<wireshark-users () wireshark org>
Date:   07/20/2010 02:55 AM
Subject:        Re: [Wireshark-users] Wireshark Capture Filter Using 
Offset
Sent by:        wireshark-users-bounces () wireshark org




On Jul 19, 2010, at 11:37 PM, Guy Harris wrote:

The UDP header is 16 bytes, so you have to add 16 to the offset from the

beginning of the DNS header.  The opcode is in the byte at an offset of 3 
from the beginning of the DNS header, so that's an offset of 19 (which is 
*NOT* 0x2C!), so the filter would be


               udp port domain and (udp[19] & 0x78) = 0x50


Sorry, that's

                 udp port domain and (udp[19] & 0x78) = 0x28

Caring about the query vs. response flag is left as an exercise for the 
reader.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             
mailto:wireshark-users-request () wireshark org?subject=unsubscribe


--------------------------------------------------
This e-mail contains information which may be privileged, confidential, proprietary, trade secret and/or otherwise 
legally protected. If you are not the intended recipient, please do not distribute this e-mail. Instead, please delete 
this e-mail from your system, and notify us that you received it in error. No waiver of any applicable privileges or 
legal protections is intended (and nothing herein shall constitute such a waiver), and all rights are reserved.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark Capture Filter Using Offset George E Burns (Jul 19)
- Re: Wireshark Capture Filter Using Offset j.snelders (Jul 19)
  - Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
  - Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
    - Re: Wireshark Capture Filter Using Offset George E Burns (Jul 20)
    - Re: Wireshark Capture Filter Using Offset Sake Blok (Jul 20)
    - Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 20)
    - Re: Wireshark Capture Filter Using Offset George E Burns (Jul 20)
    - Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 20)