On Wed, Jan 22, 2003 at 08:37:18PM +0000, bejay wrote:
> Is there a filter that can be used to search for ASCII strings
> during capture.
>
> Say for example I want to capture all sessions that contained the
> ASCII characters of:
>
> jpeg
>
> for example.....is this possible.
Not easily.
The BPF interpreter that implements libpcap filters, which are what
Ethereal uses for capturing, does not support loops, and looking for
"jpeg" anywhere in the packet would require a loop; you'd have to
completely unroll the loop, which, for, say, a 1460-byte TCP segment
(maximum size TCP payload in an Ethernet frame), means well over 1460
BPF instructions.
Not all in-kernel BPF interpreters will necessarily support that large a
program.
You also probably would *not* want to have to type the filter expression
required to generate such a program - if it were about 10 characters per
comparison with "jpeg", that's 14,600 characters.
(If you really want to try it anyway, I leave it entirely as an exercise
to you to figure out what needs to be done; I don't have time to figure
out what needs to be done.)
