Re: Hex Offset Needed

[Sake Blok <sake () euronet nl>]

Nope, you're not missing anything, I omitted something ;-)

Indeed rightshifting is a division, but I forgot to mention that in taking the upper 4 bits by anding with 0xf0, the 
result must first be devided by 16. So rightshifting 4 bits and then leftshifting two bits. Result: rightshifting 2 
bits.

Cheers,


Sake

On 4 mrt 2010, at 06:17, Jehanzeb Khan wrote:

> Hi Sake
>  I hope all is well at your end. I was just wondering if shifting right would be division instead of multiplication? 
> Or am i missing something?
>
> Regards
> Jehanzeb
>
> From: Sake Blok <sake () euronet nl>
> To: Community support list for Wireshark <wireshark-users () wireshark org>
> Sent: Thu, March 4, 2010 2:42:29 AM
> Subject: Re: [Wireshark-users] Hex Offset Needed
>
> Or if your capturing device is capable of interpreting tcpdump style filters (or more accurately, BPF style filters), 
> you could use:
>
> tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] = 0x2030
>
> Which in English would be: 
> - take the upper 4 bits of the 12th octet in the tcp header ( tcp[12:1] & 0xf0 )
> - multiply it by four ( (tcp[12:1] & 0xf0)>>2 ) which should give the tcp header length
> - add 8 ( ((tcp[12:1] & 0xf0) >> 2) + 8 ) gives the offset into the tcp header of the space before the first octet of 
> the response code
> - now take two octets from the tcp stream, starting at that offset ( tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2]  )
> - and verify that they are " 0" ( = 0x2030 )
>
> Of course this can give you false positives, so you might want to add a test for "HTTP" and the start of the tcp 
> payload with:
>
> tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450
>
> resulting in the filter:
>
> tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 and tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] = 0x2030
>
> A bit cryptic, but it works, even when TCP options are present (which would mess up a fixed offset into the tcp data).
>
> Cheers,
>
>
> Sake
>
>
> On 3 mrt 2010, at 18:17, Abhijit Bare wrote:
>
> > Hi John,
> >
> > Can you use "http/1.1" string as an indicator of response code? Only HTTP response packets have "http/1.1" or 
> > "http/1.0" (case can be upper) followed by a <space> followed by http response code (look for one digit). If you can 
> > parse this out while stream is coming in and that digit is "0", will that mean that you have found the packet? HTTP 
> > request also has "http/1.1", but there is generally no space and digit following it. Other traffic may not have the 
> > same pattern too.
> >
> > Thanks,
> > Abhijit
> >
> > On Tue, Mar 2, 2010 at 5:09 AM, Sheahan, John <John.Sheahan () priceline com> wrote:
> > Good points Martin.
> >
> >  
> > You’re right about there being no HTTP response code of 0.
> >
> >  
> > The software that the web guys use to analyze the front end web traffic will put a “0” in if it finds a packet that 
> > has an http accept and for some reason the HTTP response code is missing or unreadable and these are the packets 
> > that I’m trying to capture however there is so much HTTP traffic on the web segment that my buffer fills up in 
> > seconds so I need to try and narrow it down with a filter.
> >
> >  
> > The only things I have to go by are:
> >
> >  
> > 1.       Sometimes the HTTP Response code can’t be read.
> >
> > 2.       The problem seems to come from Safari browsers on MAC machines
> >
> >  
> > Since the User Agent data comes after a variable length Accept field as you point out, wouldn’t be easier for me at 
> > this point to filter on just Accept messages? I think if I do it this way, it will take a good amount of time to 
> > fill up the buffer and I can look to the web admins to tell me when they see the error in their logs and match it up 
> > that way?
> >
> >  
> > Thanks for the help
> >
> >  
> > John
> >
> >  
> > From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Martin 
> > Visser
> > Sent: Monday, March 01, 2010 9:53 PM
> >
> >
> > To: Community support list for Wireshark
> > Subject: Re: [Wireshark-users] Hex Offset Needed
> >
> >  
> > John,
> >
> >  
> > This is a bit tricky. Firstly I don't believe that there is a HTTP response code (or status code) with a value of "0"
> >
> >  
> > (See http://en.wikipedia.org/wiki/List_of_HTTP_status_codes and the RFCs )
> >
> >  
> > Also the HTTP "User-Agent" is going to go out in the request, and is not seen in the response. So whatever you do 
> > needs to be "stateful" knowing that the response is associated with a particular requests.
> >
> >  
> > Also I don't think there is a guarantee and on the "offset" in a packet where the response code will be and almost 
> > certainly not for the "User-Agent"  string as it usually preceded by the "Accept" string which is quite variable 
> > amongst browsers. 
> >
> >  
> > However you can use the Wireshark "Packet Bytes" pane (usually at the bottom of the window) to see if you cand 
> > devise something that is a "good enough" filter to limit what you capture and then refine it further with Wireshark 
> > to do it properly.
> >
> >  
> >  
> >  
> > Regards, Martin
> >
> > MartinVisser99 () gmail com
> >
> >
> > On Tue, Mar 2, 2010 at 11:36 AM, Sheahan, John <John.Sheahan () priceline com> wrote:
> >
> > Another way for me  to track this problem down is for me to sniff all Safari browsers on MAC’s using HTTP coming 
> > into our webservers.
> >
> >  
> > I will need to create a filter using the offset values for:
> >
> >  
> > HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en)
> >
> >  
> > Can anyone help me this together?
> >
> >  
> > Thanks
> >
> >  
> > john
> >
> >  
> >  
> >  
> > From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of 
> > Sheahan, John
> > Sent: Monday, March 01, 2010 5:38 PM
> > To: 'Community support list for Wireshark'
> > Subject: [Wireshark-users] Hex Offset Needed
> >
> >  
> > I am trying to troubleshoot an HTTP problem where the StatusCode=0 in the HTTP header.
> >
> >
> > I need to capture packets containing this parameter but since I am doing it on a Netscout probe, I have no way to 
> > figure out the offset of this in a packet.
> >
> >  
> > Can anyone tell me what hex offset I would need to put in as a filter to capture these packets?
> >
> >  
> > Thanks
> >
> >  
> > John
> >
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> >
> >  
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe