Ethereal-users: Re: [Ethereal-users] capture filter question - how to use offsets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 07 Dec 2005 23:00:47 -0800
Hansang Bae wrote:


The syntax is:

proto[byte offset:number of bytes to check] OPERATOR blah

so tcp[25]=23 ought to do it.
...except that the offset into the TCP header of the destination port is 2, not 25... 


If you don't specify it, the default number of bytes
to read is 1 byte.
...and the length of the destination port is 2 bytes, so that's "tcp[2:2] = 23".