Ethereal-users: RE : [Ethereal-users] http content capture filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "NOEL, ANDRE" <andre.noel@xxxxxxxxxxx>
Date: Tue, 8 Feb 2005 16:13:23 -0500
Hi,

Still I would prefer to be able to define it in the capture filter
I understand that it is not possible and I will go with the display
filter.

Many thanks.
---

Connexim, une société en commandite de Bell Canada
André Noël  -  Capacité et performance de réseaux
671, De la Gauchetière Ouest
Bureau 744
Montréal, Qc   H3B 2M8
Tél.:          514-870-0496
Courriel:    andre.noel@xxxxxxxxxxx

-----Message d'origine-----
De : ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] De la part de Guy Harris
Envoyé : 8 février 2005 15:07
À : Ethereal user support
Objet : Re: [Ethereal-users] http content capture filter

NOEL, ANDRE wrote:

> Is there any way to do a capture filter based on the HTTP data content ? 
>  I want to capture Every packet that contains  the word   CONNECT.

There's no general "string match" instruction in the BPF pseudo-machine 
used for capture filters, nor are there any backwards branches in the 
BPF pseudo-machines in various OS kernels (so that you can't load a 
pseudo-program that can loop infinitely), so there's no way to look for 
CONNECT at any arbitrary offset in the packet.

You can look for it at a *specific* offset in the packet, although it's 
not easy to construct the expression:

	http://home.insight.rr.com/procana/#Payload

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users