Frank Bulk wrote:
Now, to take it one step farther, I need to apply that capture filter to the
client field (labeled in the display filter 'bootp.hw.mac_addr').
Is that possible in a capture filter? And if you're going to ask if the
offset from the start of the packet is consistent, it's not.
Offsets can be computed based on the values in other fields:
expr relop expr
True if the relation holds, where relop is one of
>, <,
>=, <=, =, !=, and expr is an arithmetic
expression com-
posed of integer constants (expressed in standard
C syn-
tax), the normal binary operators [+, -, *, /, &,
|, <<,
>>], a length operator, and special packet data
acces-
sors. Note that all comparisons are unsigned, so
that,
for example, 0x80000000 and 0xffffffff are >
0. To
access data inside the packet, use the following
syntax:
proto [ expr : size ]
I.e., it says "expr" in "proto[expr:size]", which means the offset in
"proto[expr:size]" can be an arbitrary expression.
Figuring out the the right expression is left as an exercise for the
reader. (If it involves a loop, however, forget it - the offset
*eventually* has to be based on values at a fixed offset from, for
example, the beginning of the UDP payload. Fortunately, the UDP header
is fixed-length....)