Wireshark · Ethereal-users: Re: [Ethereal-users] capture filter question - how to use offsets

Ethereal-users: Re: [Ethereal-users] capture filter question - how to use offsets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Hansang Bae <hbae@xxxxxxxxxx>

Date: Wed, 07 Dec 2005 22:06:34 -0500

On 08:30 PM 12/7/2005, Ken Young wrote:
>I am trying to create a capture filter for Ethereal (0.10.13) to capture all
>traffic using a tcp destination port of 23 (telnet).
>
>I know I could simply use 'tcp dst port 23' to achieve the end result but I
>would also like to know how to perform this using offsets.  Just for
>learning purposes
>
>[snip
>
>I tried to create a capture filter such as:
>tcp [2] == 00 17   And
>tcp[2:2] == 00 17
>
>but neither of them work correctly....what am I missing?

The syntax is:

proto[byte offset:number of bytes to check] OPERATOR blah

so tcp[25]=23 ought to do it.  If you don't specify it, the default number of bytes to read is 1 byte.

Follow-Ups:
- Re: [Ethereal-users] capture filter question - how to use offsets
  - From: Guy Harris

References:
- [Ethereal-users] capture filter question - how to use offsets
  - From: Ken Young

Prev by Date: [Ethereal-users] capture filter question - how to use offsets
Next by Date: Re: [Ethereal-users] capture filter question - how to use offsets
Previous by thread: [Ethereal-users] capture filter question - how to use offsets
Next by thread: Re: [Ethereal-users] capture filter question - how to use offsets
Index(es):
- Date
- Thread