using offset to check any byte in the whole ether-frame

[Julio Talaverano <delaflota () yahoo com>]

Hi,

as far as I saw up to now offsets can only be used on specific fields like ip, tcp, eth.src and such.

I'd like to do something like:
etherframe[1410:2] == 20:f1 for example.


What I wanted to check for is the hostname a dns request asked for and the related icmp port unreachable 

error messages which also include the hostname in their load behind the icmp header.

Or even the ip identification field in both, the ip packet and in the load of the icmp error message, as above.

This way I'd like to know how long our proxies keep asking the same name server

for the resolution of the same hostname after reception of the port unreachable error message. 


Any hint?

Thanks

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe