Re: specifying > 4 byte offsets / capture filters

[Guy Harris <guy () alum mit edu>]

On Oct 8, 2012, at 10:33 AM, Stuart Kendrick <skendric () fhcrc org> wrote:

> I want to capture ARP Requests/Responses around a particular MAC address (I'm looking for a rogue node intermittently 
> impersonating this address).
> Thus, I want to filter on the ARP fields:  Sender MAC Address and Target MAC Address

        ...

> Trying a simpler capture filter:
> ether[22:6]==0x001e4f3d4204
> also red
>
> OK, so reading the documentation ... http://www.wireshark.org/docs/man-pages/pcap-filter.html ... I see that pcap 
> permits a length of either 1, 2, or 4 ... no sixes (6).

Correct.  For filter tests, it currently only generates BPF code where the data can be tested with a single comparison 
instruction, which means no more than 4 bytes (the BPF pseudo-machine is a 32-bit machine).

> Can anyone think of a creative way to do the same thing?

arp and ((ether[22:4]==0x001e4f3d and ether[26:2]==0x4204) or (ether[32:4]==0x001e4f3d) and ether[36:2]==0x4204))
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe