Ethereal-dev: Re: [ethereal-dev] Match Selected...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gilbert Ramirez <gramirez@xxxxxxxxxx>
Date: Wed, 16 Aug 2000 14:04:35 -0500
On Wed, 16 Aug 2000 13:52:40 Laurent Deniel wrote:
> 
>
> >
> > Instead of frame[offset:length], the "match" function could produce
> something
> > like tcp[offset:length] or even data[offset:length]
> >
> 
> That would be the Right Thing to do (but AFAIK, we can not do that with
> the current display filter yet ?)
> 
> --
> Laurent DENIEL        | E-mail: deniel@xxxxxxxxxxx
> Paris, FRANCE         |         laurent.deniel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>                       | WWW   : http://www.worldnet.fr/~deniel
>     All above opinions are personal, unless stated otherwise.

It can be done. 'frame' is just another protocol, like 'tcp' and 'data'.
This can be done on fields, too. You can filter on the vendor portion
of a MAC address via: tr.dst[0:3] == 0.6.29

(or eth.dst, or fddi.dst)

>From the man page:

A substring operator also exists.  You can check the substring
(byte-string) of any protocol or field.  For example, you can filter on
the vendor portion of an ethernet address (the first three bytes) like
this:

    eth.src[0:3] == 00:00:83

Or more simply, since the number of bytes is inherent in the byte-string
you provide, you can provide just the offset.  The previous example can
be stated like this:

    eth.src[0] == 00:00:83

In fact, the only time you need to explicitly provide a length is when
you don't provide a byte-string, and are comparing fields against
fields:

    fddi.src[0:3] == fddi.dst[0:3]

If the length of your byte-string is only one byte, then it must be
represented in the same way as an unsigned 8-bit integer:

    llc[3] == 0xaa

You can use the substring operator on a protocol name, too.  And
remember, the "frame" protocol encompasses the entire packet, allowing
you to look at the nth byte of a packet regardless of its frame type
(Ethernet, token-ring, etc.).

    token[0:5] ne 0.0.0.1.1
    ipx[0:2] == ff:ff
    llc[3:1] eq 0xaa

Offsets for byte-strings can also be negative, in which case the
negative number indicates the number of bytes from the end of the field
or protocol that you are testing.  Here's how to check the last 4 bytes
of a frame:

    frame[-4] == 0.1.2.3

or

    frame[-4:4] == 0.1.2.3

--gilbert