Ethereal-users: RE: [Ethereal-users] Capture filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Rancier, Jeff" <Jeff.Rancier@xxxxxxxxxx>
Date: Fri, 29 Apr 2005 16:11:57 -0400
Yes, thanks.  Can I assume that the [x:y] format compares y number of bytes
starting from offset x in the packet?  I must've missed this in the
documentation.

Jeff

-----Original Message-----
From: MH [mailto:procana@xxxxxxxxxxxxxx] 
Sent: Friday, April 29, 2005 3:46 PM
To: Rancier, Jeff
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Capture filters


On Fri, Apr 29, 2005 at 12:51:36PM -0400, Rancier, Jeff wrote:
> Can someone explain the following filter (from the Wiki):
> 
> icmp[icmptype]==icmp-echo and ip[2:2]==92 and icmp[8:4]==0xAAAAAAAA
>

Hi Jeff,

The filter looks for an icmp echo request that is 92 bytes long
and has an icmp payload that begins with 4 bytes of A's (hex).  It is
the signature of the welchia worm just before it tries to compromise
a system.

Hope this helps,
Mike