Wireshark mailing list archives

Re: specifying > 4 byte offsets / capture filters

From: Stuart Kendrick <skendric () fhcrc org>
Date: Mon, 08 Oct 2012 10:58:38 -0700

Correct.  For filter tests, it currently only generates BPF code where the data can be tested with a single comparison 
instruction, which means no more than 4 bytes (the BPF pseudo-machine is a 32-bit machine).

Can anyone think of a creative way to do the same thing?


arp and ((ether[22:4]==0x001e4f3d and ether[26:2]==0x4204) or (ether[32:4]==0x001e4f3d) and ether[36:2]==0x4204))


Ahh.  Thank you Guy,

--sk
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

specifying > 4 byte offsets / capture filters Stuart Kendrick (Oct 08)
- Re: specifying > 4 byte offsets / capture filters Guy Harris (Oct 08)
  - Re: specifying > 4 byte offsets / capture filters Stuart Kendrick (Oct 08)