Hi,
You
can only filter for bytes in packets that are ethernet, fddi, ip, arp, rarp,
tcp, udp or icmp; and only checking for 1 specific byte, a 2-byte chain or a 4
byte chain.
In
order to do that, you select the bytes position in the packet, relative to the
start of the protocol you are using in the filter _expression_. For instance, to
check for the "length" field in IP, you select bytes 2 and 3 of ip -byte 0 is
the version and header length, byte 1 the TOS-. Say you want to look for packets
longer than 1400 bytes; that would be:
ip[2:2] > 1400
That
is: the range of two bytes starting at byte two of IP information is higher than
1400.
Note
that you must take all the bytes and convert them to an integer. For instance to
check for IP source address equal to 3.3.3.3, you need to take the four bytes
03030303 and, given that bytes can be seen as two-digit hex numbers, use
0x3030303
ip[12:4] == 0x3030303
or, in
decimal,
ip[12:4] == 50529027
You
can test also for the A-like or B-like network, as in:
ip[12] == 0x3 (addresses 3/8)
ip[12:2] == 0x303 (addresses 3.3/16)
but
you cannot test for the C-like network, because that would mean
ip[12:3] == 0x30303 (addresses 3.3.3/24)
and
you cannot test for a three-byte chain.
For
more complex filters, you can play with masks, like in
ip[1] & 248 == 0
to
test for the Differentiated Services value: the DSCP takes the first 5
bits in byte 1 of the IP packet, so you need to AND that byte with a binary
number that has 5 ones and 3 zeros, b11111000, that is 248.
So, to
test for a C-like network you can do:
ip[12:4] & 0xffffff00 == 0x3030300
I hope
that helps. Regards,
Francisco
Hi:
Anybody
have an example or an explanation a little more simple that the "cryptic"
information of the tcpdump man page to create a Capture filter to select bytes
or range of bytes in a packet??
ATTE