I think the capture filter should be (but can't test it right now):
dns[2:2]==0x2800
http://wiki.wireshark.org/CaptureFilters
http://procana.homeunix.com/#BON
My best
Joke
On Mon, 19 Jul 2010 17:27:09 -0400 George E Burns wrote:
>
>Hello,
>
>I have a question regarding "capture" filters. Specifically, I need to
>write a low level filter that will capture dynamic DNS update packets
>containing the opcode value of 0x05. I know what the offset value is
>(0x2C and 0x2D) in the payload, but apparently I am missing something when
>
>trying to understand the correct "tcp dump" syntax to use as part of the
>
>capture filter in Wireshark.
>
>Capture Filter: udp[2c] == 28 and udp[2d] == 00
>
>
>Any input is greatly appreciated!
>
>
>Thanks,
>geburns
>--------------------------------------------------
>This e-mail contains information which may be privileged, confidential,
proprietary,
>trade secret and/or otherwise legally protected. If you are not the intended
>recipient, please do not distribute this e-mail. Instead, please delete
this
>e-mail from your system, and notify us that you received it in error. No
>waiver of any applicable privileges or legal protections is intended (and
>nothing herein shall constitute such a waiver), and all rights are reserved.