Wireshark mailing list archives
using offset to check any byte in the whole ether-frame
From: Julio Talaverano <delaflota () yahoo com>
Date: Thu, 21 Nov 2013 07:02:58 -0800 (PST)
Hi, as far as I saw up to now offsets can only be used on specific fields like ip, tcp, eth.src and such. I'd like to do something like: etherframe[1410:2] == 20:f1 for example. What I wanted to check for is the hostname a dns request asked for and the related icmp port unreachable error messages which also include the hostname in their load behind the icmp header. Or even the ip identification field in both, the ip packet and in the load of the icmp error message, as above. This way I'd like to know how long our proxies keep asking the same name server for the resolution of the same hostname after reception of the port unreachable error message. Any hint? Thanks
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- using offset to check any byte in the whole ether-frame Julio Talaverano (Nov 21)
- Re: using offset to check any byte in the whole ether-frame Guy Harris (Nov 21)