On Sat, Nov 29, 2003 at 09:48:52AM +0100, Admin wrote:
> Im completely new with ethereal and cant find the right
> information to set a capture filter on certain byte(s).
>
> I want to capture nicknames from an UDP packet which has
> a maximum size of 84 bytes and with only a few bytes that
> are unique.
If the bytes are at a fixed offset in the UDP payload, you could use a
capture filter expression
udp[{offset}:{length} = XXXX
"{offset}" is the offset from the beginning of the UDP *header*;
fortunately, the UDP header is fixed length.
"{length}" is 1, 2, or 4 - if you want to test more bytes, you have to
use multiple tests, and if you want to test 3 bytes, you would need to
mask with the "&" operator (see the WinDump documentation for a detailed
description of the capture filter syntax).
"XXXX" is the value to test. Note that 2-byte or 4-byte quantities will
be fetched in big-endian order.
If you want to look for packets that contain those bytes *anywhere* in
the UDP payload, you're out of luck - the capture filter mechanism in
libpcap/WinPcap is implemented with a pseudo-machine-language that
doesn't support a "check for this anywhere in the packet" operation.