Wireshark-users: Re: [Wireshark-users] Wireshark Capture Filter Using Offset

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "George E Burns" <geburns@xxxxxxxxxxx>
Date: Tue, 20 Jul 2010 10:55:27 -0400
Hello Guy,

Thanks for the re-directs concerning the values and offsets.  Forgive me for asking, but where can I find the proper syntax to use when creating complex "capture filters"?  

You mentioned the UDP header was 16 bytes, but I thought it was only 8 bytes.  I have tried the recommended filter: udp port domain and (udp[19] & 0x78) = 0x28 , but that does not seem to trigger the capture.  I ran a comparison trace without the filter and verified the target packets were being received by the analyzer.  Any ideas?

Thanks,

George



From:        Guy Harris <guy@xxxxxxxxxxxx>
To:        Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Date:        07/20/2010 02:55 AM
Subject:        Re: [Wireshark-users] Wireshark Capture Filter Using Offset
Sent by:        wireshark-users-bounces@xxxxxxxxxxxxx




On Jul 19, 2010, at 11:37 PM, Guy Harris wrote:

> The UDP header is 16 bytes, so you have to add 16 to the offset from the beginning of the DNS header.  The opcode is in the byte at an offset of 3 from the beginning of the DNS header, so that's an offset of 19 (which is *NOT* 0x2C!), so the filter would be
>
>                  udp port domain and (udp[19] & 0x78) = 0x50

Sorry, that's

                udp port domain and (udp[19] & 0x78) = 0x28

Caring about the query vs. response flag is left as an exercise for the reader.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
 

--------------------------------------------------
This e-mail contains information which may be privileged, confidential, proprietary, trade secret and/or otherwise legally protected. If you are not the intended recipient, please do not distribute this e-mail. Instead, please delete this e-mail from your system, and notify us that you received it in error. No waiver of any applicable privileges or legal protections is intended (and nothing herein shall constitute such a waiver), and all rights are reserved.