Wireshark mailing list archives
Re: specifying > 4 byte offsets / capture filters
From: Stuart Kendrick <skendric () fhcrc org>
Date: Mon, 08 Oct 2012 10:58:38 -0700
Correct. For filter tests, it currently only generates BPF code where the data can be tested with a single comparison instruction, which means no more than 4 bytes (the BPF pseudo-machine is a 32-bit machine).Can anyone think of a creative way to do the same thing?arp and ((ether[22:4]==0x001e4f3d and ether[26:2]==0x4204) or (ether[32:4]==0x001e4f3d) and ether[36:2]==0x4204))
Ahh. Thank you Guy, --sk ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- specifying > 4 byte offsets / capture filters Stuart Kendrick (Oct 08)
- Re: specifying > 4 byte offsets / capture filters Guy Harris (Oct 08)
- Re: specifying > 4 byte offsets / capture filters Stuart Kendrick (Oct 08)
- Re: specifying > 4 byte offsets / capture filters Guy Harris (Oct 08)