Wireshark-users: Re: [Wireshark-users] Wireshark Capture Filter Using Offset

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 19 Jul 2010 23:51:07 -0700
On Jul 19, 2010, at 11:37 PM, Guy Harris wrote:

> The UDP header is 16 bytes, so you have to add 16 to the offset from the beginning of the DNS header.  The opcode is in the byte at an offset of 3 from the beginning of the DNS header, so that's an offset of 19 (which is *NOT* 0x2C!), so the filter would be
> 
> 	udp port domain and (udp[19] & 0x78) = 0x50

Sorry, that's

	udp port domain and (udp[19] & 0x78) = 0x28

Caring about the query vs. response flag is left as an exercise for the reader.