Ethereal-users: [Ethereal-users] filter for HTTP payload

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Wachter, Richard J." <RWachter@xxxxxxxxx>
Date: Wed, 21 Aug 2002 12:35:53 -0400
Hello fellow Ethereal users,
I am seeking your help in formulating a filter that will match protocol type
of http with "POST" as the method that was used.  I have read the primer
written by Mike Horn ( http://home.insight.rr.com/procana/index.html ) and
found that I want to do almost exactly what his "SMTP" example is doing.  I
have also followed the link provided by Guy Harris (
http://windump.polito.it/docs/manual.htm ) about WinDump.
However I would be lying if I said that I fully understand the way you are
doing the offsetting into the packet.  For example in Mike Horns primer he
uses this example "tpc[20:4] = 0x48454C4F" is looking for the word "HELO"
starting 20 bytes into the packet for a length of 4 bytes.  I am trying to
understand how I can determine the offset into the packet.  I have an
example of an "http" packet that is a "POST".  From what I see in the
capture the POST in the hex dump section and it is on the line that starts
"0030" in the 6th column from the left.  Should this be offset 36?  POST
like HELO is 4 bytes long so my filter should be "port 80 and ( tcp[36:4] =
0x504f5354 )".  I know however that this is not matching the way as I have
run several test and I get no matches on my filter.
Any help would be most welcome.

Richard Wachter