Wireshark mailing list archives
specifying > 4 byte offsets / capture filters
From: Stuart Kendrick <skendric () fhcrc org>
Date: Mon, 08 Oct 2012 10:33:07 -0700
Hi folks,I want to capture ARP Requests/Responses around a particular MAC address (I'm looking for a rogue node intermittently impersonating this address). Thus, I want to filter on the ARP fields: Sender MAC Address and Target MAC Address
A capture filter of: arp of course captures all ARPs A capture filter of: ether[12:2]==0x0806 of course captures all ARPs But a capture filter of: arp and (ether[22:6]==0x001e4f3d4204 or ether[32:6]==0x001e4f3d4204) stays red ... invalid Trying a simpler capture filter: ether[22:6]==0x001e4f3d4204 also redOK, so reading the documentation ... http://www.wireshark.org/docs/man-pages/pcap-filter.html ... I see that pcap permits a length of either 1, 2, or 4 ... no sixes (6).
"/Proto/ is one of *ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6* or *radio*, and indicates the protocol layer for the index operation. (*ether, fddi, wlan, tr, ppp, slip* and *link* all refer to the link layer. *radio* refers to the "radio header" added to some 802.11 captures.) Note that /tcp, udp/ and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future). The byte offset, relative to the indicated protocol layer, is given by /expr/. /Size/ is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword *len*, gives the length of the packet."
Bummer. I've poked through the changelog for the latest libpcap; I don't see any mention of increasing the offset field:
http://www.tcpdump.org/libpcap-changes.txtCan anyone think of a creative way to do the same thing? I'm going with the following for now:
arp and (ether[22:4]==0x001e4f3d or ether[32:4]==0x001e4f3d) But obviously it is a bit broader than I really want. ? --sk Stuart Kendrick FHCRC
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- specifying > 4 byte offsets / capture filters Stuart Kendrick (Oct 08)
- Re: specifying > 4 byte offsets / capture filters Guy Harris (Oct 08)
- Re: specifying > 4 byte offsets / capture filters Stuart Kendrick (Oct 08)
- Re: specifying > 4 byte offsets / capture filters Guy Harris (Oct 08)