Ethereal-users: Re: [Ethereal-users] http content capture filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 08 Feb 2005 12:07:27 -0800
NOEL, ANDRE wrote:
Is there any way to do a capture filter based on the HTTP data content ? I want to capture Every packet that contains the word CONNECT.
There's no general "string match" instruction in the BPF pseudo-machine used for capture filters, nor are there any backwards branches in the BPF pseudo-machines in various OS kernels (so that you can't load a pseudo-program that can loop infinitely), so there's no way to look for CONNECT at any arbitrary offset in the packet.
You can look for it at a *specific* offset in the packet, although it's not easy to construct the expression: 

	http://home.insight.rr.com/procana/#Payload