Wireshark · Ethereal-users: Re: Re: [Ethereal-users] capture filter question - how to use offsets

Ethereal-users: Re: Re: [Ethereal-users] capture filter question - how to use offsets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Ken Young <ciscokid@xxxxxxxxxxxxxxx>

Date: Thu, 8 Dec 2005 10:43:26 -0500

Thanks so much...it looks like my problem then was the fact I was trying to match based on the HEX value not the decimal.

Thanks!!
> 
> From: Guy Harris <gharris@xxxxxxxxx>
> Date: 2005/12/08 Thu AM 02:00:47 EST
> To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
> Subject: Re: [Ethereal-users] capture filter question - how to use  offsets
> 
> Hansang Bae wrote:
> 
> > The syntax is:
> > 
> > proto[byte offset:number of bytes to check] OPERATOR blah
> > 
> > so tcp[25]=23 ought to do it.
> 
> ...except that the offset into the TCP header of the destination port is 
> 2, not 25...
> 
> > If you don't specify it, the default number of bytes
> > to read is 1 byte.
> 
> ...and the length of the destination port is 2 bytes, so that's 
> "tcp[2:2] = 23".
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>

Follow-Ups:
- Re: [Ethereal-users] capture filter question - how to use offsets
  - From: Guy Harris

Prev by Date: Re: [Ethereal-users] Using Text2pcap
Next by Date: Re: [Ethereal-users] direct decode of higher layers without lower layer headers
Previous by thread: Re: [Ethereal-users] capture filter question - how to use offsets
Next by thread: Re: [Ethereal-users] capture filter question - how to use offsets
Index(es):
- Date
- Thread