Ethereal-users: Re: [Ethereal-users] yet another filter question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 24 Jan 2002 11:38:07 -0800 (PST)
> I don't quite understand the offset in capture filtering.

Which offset?  The "expr" in "proto [ expr : size ] " in the following
part of the tcpdump man page:

	  expr relop expr
	       True if the relation holds, where relop is one  of
	       >,  <,  >=,  <=,	 =, !=,	and expr is an arithmetic
	       expression   composed   of    integer	constants
	       (expressed  in  standard	 C  syntax),  the  normal
	       binary operators	[+, -, *,  /,  &,  |],	a  length
	       operator,  and  special packet data accessors.  To
	       access data inside the packet, use  the	following
	       syntax:
		    proto [ expr : size	]
	       Proto is	one of ether, fddi, ip,	arp,  rarp,  tcp,
	       udp, or icmp, and indicates the protocol	layer for
	       the index operation.  The byte offset, relative to
	       the  indicated  protocol	 layer,	is given by expr.
	       Size is optional	and indicates the number of bytes
	       in  the	field  of interest; it can be either one,
	       two, or four, and defaults  to  one.   The  length
	       operator,  indicated by the keyword len,	gives the
	       length of the packet.

	       For example, `ether[0] &	1 != 0'	catches	all  mul-
	       ticast traffic.	The expression `ip[0] &	0xf != 5'
	       catches all IP packets with options.  The  expres-
	       sion  `ip[6:2]  & 0x1fff	= 0' catches only unfrag-
	       mented  datagrams  and  frag  zero  of  fragmented
	       datagrams.   This  check	 is implicitly applied to
	       the tcp and udp index operations.   For	instance,
	       tcp[0]  always  means  the  first  byte of the TCP
	       header, and never  means	 the  first  byte  of  an
	       intervening fragment.

> For example, take the following code:
> 
> 0000  ff ff ff ff ff ff 00 40 68 1b 3d 26 00 60 ff ff   .......@h.=&.`..
> 0010  00 60 00 04 b0 b0 b0 b0 ff ff ff ff ff ff 04 52   .`.............R
> 0020  b0 b0 b0 b0 00 40 68 1b 3d 26 04 52 00 02 03 63   .....@h.=&.R...c
> 0030  45 53 49 31 37 38 35 31 32 36 00 00 00 00 00 00   ESI1785126......
> 0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 0060  00 00 00 00 00 40 68 1b 3d 26 40 0b 00 01         .....@h.=&@...
> 
> 
> If I read this right 26 bytes into the packet it reads "b0b0b0b0". How would
> I capture packets with this pattern?

	link[26:4] = 0xb0b0b0b0

should, I think, do it - that checks whether the 4 bytes starting at an
offset of 26 bytes from the beginning of the link-layer header, when
interpreted as a big-endian number, have the value hex b0b0b0b0.