Wireshark-users: [Wireshark-users] Filtering tcp payload
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Greg Helps" <greg@xxxxxxxxxxxx>
Date: Thu, 14 Feb 2008 14:52:31 +1030
Hi,
 
My question's probably quite simple, but I'd like to frame it by
explaining my situation first. I come from an environment that uses
Citrix metaframe. A citrix session establishes itself on tcp port 1494
or 2598 by default. All activities utilise this single conversation,
meaning screen drawing, mouse movements, clipboard copies, client-side
drive mapping etc all occur within the same conversation.
 
Screen redraws, mouse movements and keystrokes are all high priority
activities compared to something like printing. Therefore, the first two
bytes of the tcp data are not encrypted and contain information about
the payload of the particular packet. From Cisco's description :
The first two bytes of the packet (byte 1 and byte 2) contain the byte
count and the ICA priority tag number. Byte 1 contains the low-order
byte count, and the first two bits of byte 2 contain the priority tags.
The other six bits contain the high-order byte count.
 
I'd like to filter by the first two bits of the second byte of the tcp
payload data. I am currently trying variations of the following display
filter :
(tcp[21] & 0xc0) == 0

This filter is rejected as invalid. Can anyone see what I'm doing wrong?


Thanks
Greg