Re: Wireshark Capture Filter Using Offset

[Guy Harris <guy () alum mit edu>]

On Jul 20, 2010, at 8:18 AM, Sake Blok wrote:

> And of course the tcpdump manual page is a great source.

...unless you have tcpdump 4.0 or later, in which case the manual page assumes you also have libpcap 1.0 or later, and 
refers you to the libpcap pcap-filter man page, to which the description of the capture filter language has been moved 
(as the filter language is implemented in libpcap/WinPcap, and is thus used by more programs than just tcpdump).

For Windows users, see

        http://www.winpcap.org/docs/docs_412/html/group__language.html

> PS  If you really want to dig into it, tcpdump -d <filter> will show you what the compiled BPF code will be, which 
> you can use to verify the filter (if you understand the produced "machine-code").

And if you don't understand it but want to, start at

        http://www.tcpdump.org/papers/bpf-usenix93.pdf

which briefly describes the pseudo-machine in "3.3 The BPF Pseudo-Machine".
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe