Ethereal-users: Re: [Ethereal-users] [Win32] Capture filter to capture only packetswith certain

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "jon baer" <ethereal@xxxxxxxxxxx>
Date: Sat, 29 Nov 2003 20:14:38 -0500
while it would be really nice to see or have the ability to let Snort rules
actually *be* ethereal capture filters (any thoughts on that?) ... you are
better off not using ethereal in terms of packet capture / filter ... use
snort to accomplish it (www.winsnort.com) and analyze w/ ethereal.

- jon

----- Original Message -----
From: "Admin" <admin@xxxxxxxxxxxxxxxxxxx>
To: <ethereal-users@xxxxxxxxxxxx>
Sent: Saturday, November 29, 2003 3:48 AM
Subject: [Ethereal-users] [Win32] Capture filter to capture only packetswith
certain content/bytes


> Hello ethereal-users,
>
> Im completely new with ethereal and cant find the right
> information to set a capture filter on certain byte(s).
>
> I want to capture nicknames from an UDP packet which has
> a maximum size of 84 bytes and with only a few bytes that
> are unique. (i still get some bogus packages but thats no big deal)
>
> These are 2 example packets
>
> 0000 00 90 27 A7 69 5D 00 08 E2 C6 38 00 08 00 45 20 ..'.i]....8...E
> 0010 00 35 C8 95 00 00 75 11 A7 CB D9 52 29 76 D9 78 .5....u....R)v.x
> 0020 F8 F5 0C C3 6C F0 00 21 2E 58 8B 0F 00 4D 4A 31 ....l..!.X...MJ1
> 0030 32 20 7C 7C 20 4D 61 73 74 65 72 00 00 00 96 18 2 || Master.....
> 0040 00 00 00                                        ...
>
> 0000 00 90 27 A7 69 5D 00 08 E2 C6 38 00 08 00 45 00 ..'.i]....8...E
> 0010 00 45 AC C2 00 00 6F 11 1A 0B 51 E3 60 89 D9 78  .E....o...Q.`..x
> 0020 F8 F5 38 42 6C F0 00 31 6E FE 8B 1F 00 49 68 61 ..8Bl..1n....Iha
> 0030 76 65 61 6C 6F 6E 67 6E 61 6D 65 73 69 6E 63 65 vealongnamesince
> 0040 73 70 6F 6F 6B 73 74 61 68 74 6F 00 00 00 96 29 spookstahto....)
> 0050 00 00 00                                        ...
>
> The only byte(s) which returns in all packets is 8B and 00 00 00 90,
> but 8B returns in a lot of other packets so not really usefull, also
> the last 00 00 00 always returns but the byte before it changes with
> every packet.
>
> This is the capture filter which i have set atm:
>
> udp port 27888 and dst host 217.120.248.245 and len <= 84
>
> What do i need to set more to get only packets which contain 00 00 00
> 90, or if anyone has a better idea please hook me up with it.
>
> --
> Best regards,
>  GJ de Boer                          mailto:admin@xxxxxxxxxxxxxxxxxxx
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>