Wireshark mailing list archives
Re: Wireshark Capture Filter Using Offset
From: Guy Harris <guy () alum mit edu>
Date: Tue, 20 Jul 2010 10:53:18 -0700
On Jul 20, 2010, at 8:29 AM, George E Burns wrote:
I made a few changes to the filter
Sorry about that - I guess I was incrementing by 2 rather than 1 when counting bytes in RFC 768.
and this one is working: udp port 53 and (udp[10] & 0xff) = 0x28
"udp[10] & 0xff" is equivalent to "udp[10]", as "udp[10]" is a single byte at an offset of 10 from the beginning of the UDP header: expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |, <<, >>], a length operator, and special packet data accessors. Note that all comparisons are unsigned, so that, for example, 0x80000000 and 0xffffffff are > 0. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, rela- tive to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to ^^^^^^^^^^^^^^^^^ one. The length operator, indicated by the keyword len, gives ^^^ the length of the packet. and 0xff masks out no bits from a single byte. However, as per RFC 1035, that byte is 0 1 2 3 4 5 6 7 ... +--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD| +--+--+--+--+--+--+--+--+ so unless you *only* want queries (QR = 0), and *don't* want queries where recursion is desired (i.e., you only want queries where RD = 0), you should probably leave in the 0x78 mask. (AA and TC are presumably both 0 in a query.) (Note also the "Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future)." I.e., that filter won't capture any DNS-over-IPv6 packets.) ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark Capture Filter Using Offset George E Burns (Jul 19)
- Re: Wireshark Capture Filter Using Offset j.snelders (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset George E Burns (Jul 20)
- Re: Wireshark Capture Filter Using Offset Sake Blok (Jul 20)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 20)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset George E Burns (Jul 20)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 20)
- Re: Wireshark Capture Filter Using Offset j.snelders (Jul 19)