On 14.02.2008, at 05:22, Greg Helps wrote: Hi,
My question's probably quite simple, but I'd like to frame it by
explaining my situation first. I come from an environment that uses
Citrix metaframe. A citrix session establishes itself on tcp port 1494
or 2598 by default. All activities utilise this single conversation,
meaning screen drawing, mouse movements, clipboard copies, client-side
drive mapping etc all occur within the same conversation.
Screen redraws, mouse movements and keystrokes are all high priority
activities compared to something like printing. Therefore, the first two
bytes of the tcp data are not encrypted and contain information about
the payload of the particular packet. From Cisco's description :
The first two bytes of the packet (byte 1 and byte 2) contain the byte
count and the ICA priority tag number. Byte 1 contains the low-order
byte count, and the first two bits of byte 2 contain the priority tags.
The other six bits contain the high-order byte count.
I'd like to filter by the first two bits of the second byte of the tcp
payload data. I am currently trying variations of the following display
filter :
(tcp[21] & 0xc0) == 0
This filter is rejected as invalid. Can anyone see what I'm doing wrong?
can't see it right now neither but try
tcp[21] < 193
which should be logically the same.
Andreas Fink Global Networks Schweiz AG --------------------------------------------------------------- Tel: +41-61-6666333 Fax: +41-61-6666331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland --------------------------------------------------------------- ICQ: 8239353 MSN: msn1@xxxxxx AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333
|