On May 12, 2010, at 11:37 PM, 刘延君 wrote:
> Hello:
> In this page,I found a example,mybe have problem.
> http://wiki.wireshark.org/CaptureFilters
>
> (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)
> It should be
> (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
Yes - as Jaap noted, it's now fixed. Thanks.
Note also that right after that example is a somewhat easier filter to use for that:
tcp portrange 1501-1549
which also has the advantage that, in versions of libpcap that support IPv6 (which newer ones do by default - and in some systems with older libpcaps the version that's shipped with the system might have IPv6 support built in), it checks for both TCP-over-IPv4 and TCP-over-IPv6 packets with port numbers in that range.
I.e., the only reason why anybody should use
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
rather than
tcp portrange 1501-1549
is that their system, or their Wireshark, is using libpcap 0.9.0 or earlier.