Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
That it! I didn't know there was a 'link' command. Where did you reference this from?
-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Thursday, January 24, 2002 1:38 PM
To: Broggy, David
Cc: 'ethereal-users@xxxxxxxxxxxx'
Subject: Re: [Ethereal-users] yet another filter question
> I don't quite understand the offset in capture filtering.
Which offset? The "expr" in "proto [ expr : size ] " in the following
part of the tcpdump man page:
expr relop expr
True if the relation holds, where relop is one of
>, <, >=, <=, =, !=, and expr is an arithmetic
_expression_ composed of integer constants
(expressed in standard C syntax), the normal
binary operators [+, -, *, /, &, |], a length
operator, and special packet data accessors. To
access data inside the packet, use the following
syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp, tcp,
udp, or icmp, and indicates the protocol layer for
the index operation. The byte offset, relative to
the indicated protocol layer, is given by expr.
Size is optional and indicates the number of bytes
in the field of interest; it can be either one,
two, or four, and defaults to one. The length
operator, indicated by the keyword len, gives the
length of the packet.
For example, `ether[0] & 1 != 0' catches all mul-
ticast traffic. The _expression_ `ip[0] & 0xf != 5'
catches all IP packets with options. The expres-
sion `ip[6:2] & 0x1fff = 0' catches only unfrag-
mented datagrams and frag zero of fragmented
datagrams. This check is implicitly applied to
the tcp and udp index operations. For instance,
tcp[0] always means the first byte of the TCP
header, and never means the first byte of an
intervening fragment.
> For example, take the following code:
>
> 0000 ff ff ff ff ff ff 00 40 68 1b 3d 26 00 60 ff ff .......@h.=&.`..
> 0010 00 60 00 04 b0 b0 b0 b0 ff ff ff ff ff ff 04 52 .`.............R
> 0020 b0 b0 b0 b0 00 40 68 1b 3d 26 04 52 00 02 03 63 .....@h.=&.R...c
> 0030 45 53 49 31 37 38 35 31 32 36 00 00 00 00 00 00 ESI1785126......
> 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0060 00 00 00 00 00 40 68 1b 3d 26 40 0b 00 01 .....@h.=&@...
>
>
> If I read this right 26 bytes into the packet it reads "b0b0b0b0". How would
> I capture packets with this pattern?
link[26:4] = 0xb0b0b0b0
should, I think, do it - that checks whether the 4 bytes starting at an
offset of 26 bytes from the beginning of the link-layer header, when
interpreted as a big-endian number, have the value hex b0b0b0b0.
| This message has been 'sanitized'. This means that potentially
dangerous content has been rewritten or removed. The following
log describes which actions were taken.
Sanitizer (start="1011901345"):
Part (pos="1571"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (rule="2"):
Enforced policy: accept
Part (pos="4589"):
SanitizeFile (filename="unnamed.html", mimetype="text/html"):
Match (rule="default"):
Enforced policy: accept
Rewrote HTML tag: >>_META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"_<<
as: >>_MANGLED_ON_PURPOSE_META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"_<<
Rewrote HTML tag: >>_META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"_<<
as: >>_MANGLED_ON_PURPOSE_META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"_<<
Total modifications so far: 2
Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre Exp $ |
- Follow-Ups:
- Re: [Ethereal-users] yet another filter question
- From: Guy Harris
- Re: [Ethereal-users] yet another filter question
- Prev by Date: Re: FW: [Ethereal-users] yet another filter question
- Next by Date: Re: FW: [Ethereal-users] yet another filter question
- Previous by thread: Re: FW: [Ethereal-users] yet another filter question
- Next by thread: Re: [Ethereal-users] yet another filter question
- Index(es):
