> More generically, I haven't figured out - based on the tcpdump man page -
> whether or not it's possible to select bytes based on their frame offset
>From the tcpdump man page:
expression
selects which packets will be dumped. If no expression
is given, all packets on the net will be dumped. Oth-
erwise, only packets for which expression is `true'
will be dumped.
The expression consists of one or more primitives.
Primitives usually consist of an id (name or number)
preceded by one or more qualifiers. There are three
different kinds of qualifier:
...
Allowable primitives are:
...
expr relop expr
True if the relation holds, where relop is one of
>, <, >=, <=, =, !=, and expr is an arithmetic
expression composed of integer constants
(expressed in standard C syntax), the normal
binary operators [+, -, *, /, &, |], a length
operator, and special packet data accessors. To
access data inside the packet, use the following
syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp, tcp,
udp, or icmp, and indicates the protocol layer for
the index operation. The byte offset, relative to
the indicated protocol layer, is given by expr.
Size is optional and indicates the number of bytes
in the field of interest; it can be either one,
two, or four, and defaults to one. The length
operator, indicated by the keyword len, gives the
length of the packet.
For example, `ether[0] & 1 != 0' catches all mul-
ticast traffic. The expression `ip[0] & 0xf != 5'
catches all IP packets with options. The expres-
sion `ip[6:2] & 0x1fff = 0' catches only unfrag-
mented datagrams and frag zero of fragmented
datagrams. This check is implicitly applied to
the tcp and udp index operations. For instance,
tcp[0] always means the first byte of the TCP
header, and never means the first byte of an
intervening fragment.
So, you can test a 1-byte, 2-byte, or 4-byte field with an "expr relop
expr" primitive. The man page continues:
Primitives may be combined using:
A parenthesized group of primitives and operators
(parentheses are special to the Shell and must be
escaped).
Negation (`!' or `not').
Concatenation (`&&' or `and').
Alternation (`||' or `or').
Negation has highest precedence. Alternation and con-
catenation have equal precedence and associate left to
right. Note that explicit and tokens, not juxtaposi-
tion, are now required for concatenation.
So...
> (which would solve the problem below by selected bytes 7-9, which is the
> source OUI). Help?
...to test bytes 7 through 9 of the link-layer header, do
link[7] == 0xXX and link[8] == 0xXX and link[9] == 0xXX
