Wireshark-dev: Re: [Wireshark-dev] libpcap support for capturing DCCP packets with specific por
Assuming it's DCCP/IPv4 with no IP options, then the following
(untested) capture filter might work for you:
(dst 192.168.1.30) && (ip[0]==0x45) && (ip[9]==33) && (ip[20:2]==40001)
If not, then you'll likely need to check the man page as Bill suggests.
- Chris
> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-
> bounces@xxxxxxxxxxxxx] On Behalf Of Bill Meier
> Sent: Thursday, September 10, 2009 9:26 AM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] libpcap support for capturing DCCP
packets
> with specific port?
>
> Ktawut T.Pijarn wrote:
>
> > However, I also need to differentiate different DCCP
> > connections using different DCCP ports too but libpcap doesn't
> capture
> > anything for me when I specify the desired port in addition to the
IP
> > address in the capture filter, e.g. "dst 192.168.1.30 and src port
> 40001".
> > It just does not capture anything for me.
> >
> > So, is there a special syntax for pcap to specify the DCCP port, if
> that is
> > available at all?
> >
>
> It appears that DCCP runs on top of IP and thus "DCCP port" is
> specified
> in the DCCP payload.
>
> I strongly doubt that DCCP is a protocol which can be specified in a
> libpcap Capture Filter (and thus can be decoded to determine the DCCP
> port).
>
> From the man tcpdump section about Capture filters:
>
> "dst port port
> True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and
has
> a
> destination port value of port. The port can be a number or a
> name
> "
>
>
> As the Wireshark man pages say:
>
> "Capture Filter Syntax
> See the manual page of pcap-filter(4) or, if that doesn't exist,
> tcpdump(8)."
>
> for all the gory details about using Capture filters. :)
>
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.