Wireshark · Wireshark-users: Re: [Wireshark-users] Filtering tcp payload

Wireshark-users: Re: [Wireshark-users] Filtering tcp payload

From: "Greg Helps" <greg@xxxxxxxxxxxx>

Date: Fri, 15 Feb 2008 10:09:10 +1030

Guy Harris wrote:

> As for display filters, there are two issues:
>
> The first of which is that the constant operand of "&" must be a byte
string, i.e. a sequence of
> hex values separated by colons, so you have to say "c0" rather than
"0xc0" for a one-byte value.
>
> The second of which is that, at least as I read the man page, that you
can't do something such as
>
>       (tcp[21] & c0) == 0
>
> but you can do
>
>       !(tcp[21] & c0)
>
> (Note also that those display and capture filters assume the TCP
segment has no TCP options.)

Excellent, thanks for clearing this up for me. This works as intended
and will assist me no end

Cheers
Greg

References:
- [Wireshark-users] Filtering tcp payload
  - From: Greg Helps
- Re: [Wireshark-users] Filtering tcp payload
  - From: Guy Harris

Prev by Date: [Wireshark-users] Dropped Frames - Keepalive?
Next by Date: [Wireshark-users] SMTP Filter
Previous by thread: Re: [Wireshark-users] Filtering tcp payload
Next by thread: [Wireshark-users] Analysing WLAN capture from a Kismet Drone
Index(es):
- Date
- Thread