["Broggy, David" <David.Broggy@xxxxxx>]

Title: RE: [Ethereal-users] yet another filter question

That it! I didn't know there was a 'link' command. Where did you reference this from?

-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Thursday, January 24, 2002 1:38 PM
To: Broggy, David
Cc: 'ethereal-users@xxxxxxxxxxxx'
Subject: Re: [Ethereal-users] yet another filter question

> I don't quite understand the offset in capture filtering.

Which offset?  The "expr" in "proto [ expr : size ] " in the following
part of the tcpdump man page:

          expr relop expr
               True if the relation holds, where relop is one  of
               >,  <,  >=,  <=,  =, !=, and expr is an arithmetic
               _expression_   composed   of    integer    constants
               (expressed  in  standard  C  syntax),  the  normal
               binary operators [+, -, *,  /,  &,  |],  a  length
               operator,  and  special packet data accessors.  To
               access data inside the packet, use  the  following
               syntax:
                    proto [ expr : size ]
               Proto is one of ether, fddi, ip, arp,  rarp,  tcp,
               udp, or icmp, and indicates the protocol layer for
               the index operation.  The byte offset, relative to
               the  indicated  protocol  layer, is given by expr.
               Size is optional and indicates the number of bytes
               in  the  field  of interest; it can be either one,
               two, or four, and defaults  to  one.   The  length
               operator,  indicated by the keyword len, gives the
               length of the packet.

               For example, `ether[0] & 1 != 0' catches all  mul-
               ticast traffic.  The _expression_ `ip[0] & 0xf != 5'
               catches all IP packets with options.  The  expres-
               sion  `ip[6:2]  & 0x1fff = 0' catches only unfrag-
               mented  datagrams  and  frag  zero  of  fragmented
               datagrams.   This  check  is implicitly applied to
               the tcp and udp index operations.   For  instance,
               tcp[0]  always  means  the  first  byte of the TCP
               header, and never  means  the  first  byte  of  an
               intervening fragment.

> For example, take the following code:
>
> 0000  ff ff ff ff ff ff 00 40 68 1b 3d 26 00 60 ff ff   .......@h.=&.`..
> 0010  00 60 00 04 b0 b0 b0 b0 ff ff ff ff ff ff 04 52   .`.............R
> 0020  b0 b0 b0 b0 00 40 68 1b 3d 26 04 52 00 02 03 63   .....@h.=&.R...c
> 0030  45 53 49 31 37 38 35 31 32 36 00 00 00 00 00 00   ESI1785126......
> 0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 0060  00 00 00 00 00 40 68 1b 3d 26 40 0b 00 01         .....@h.=&@...
>
>
> If I read this right 26 bytes into the packet it reads "b0b0b0b0". How would
> I capture packets with this pattern?

        link[26:4] = 0xb0b0b0b0

should, I think, do it - that checks whether the 4 bytes starting at an
offset of 26 bytes from the beginning of the link-layer header, when
interpreted as a big-endian number, have the value hex b0b0b0b0.

---

This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken.

Sanitizer (start="1011901345"):
  Part (pos="1571"):
    SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
      Match (rule="2"):
        Enforced policy: accept

  Part (pos="4589"):
    SanitizeFile (filename="unnamed.html", mimetype="text/html"):
      Match (rule="default"):
        Enforced policy: accept

    Rewrote HTML tag: >>_META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"_<<
                  as: >>_MANGLED_ON_PURPOSE_META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"_<<
    Rewrote HTML tag: >>_META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"_<<
                  as: >>_MANGLED_ON_PURPOSE_META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12"_<<
    Total modifications so far: 2

Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre Exp $