Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark Capture Filter Using Offset

Wireshark-users: Re: [Wireshark-users] Wireshark Capture Filter Using Offset

From: Sake Blok <sake@xxxxxxxxxx>

Date: Tue, 20 Jul 2010 17:18:21 +0200

On 20 jul 2010, at 16:55, George E Burns wrote:

> You mentioned the UDP header was 16 bytes, but I thought it was only 8 bytes.  I have tried the recommended filter: udp port domain and (udp[19] & 0x78) = 0x28 , but that does not seem to trigger the capture.  I ran a comparison trace without the filter and verified the target packets were being received by the analyzer.  Any ideas? 

Indeed the UDP header is 8 bytes long, so that would make the filter:

udp port domain and (udp[11] & 0x78) = 0x28 

More information about capture filters can be found at the links Joke has sent earlier in this thread:

http://wiki.wireshark.org/CaptureFilters
http://procana.homeunix.com/#BON

And of course the tcpdump manual page is a great source.

Hope this helps,
Cheers,


Sake

PS  If you really want to dig into it, tcpdump -d <filter> will show you what the compiled BPF code will be, which you can use to verify the filter (if you understand the produced "machine-code").

Follow-Ups:
- Re: [Wireshark-users] Wireshark Capture Filter Using Offset
  - From: Guy Harris

References:
- [Wireshark-users] Wireshark Capture Filter Using Offset
  - From: George E Burns
- Re: [Wireshark-users] Wireshark Capture Filter Using Offset
  - From: Guy Harris
- Re: [Wireshark-users] Wireshark Capture Filter Using Offset
  - From: Guy Harris
- Re: [Wireshark-users] Wireshark Capture Filter Using Offset
  - From: George E Burns

Prev by Date: Re: [Wireshark-users] Saving the UDP stream from a wireshark capture session
Next by Date: Re: [Wireshark-users] Wireshark Capture Filter Using Offset
Previous by thread: Re: [Wireshark-users] Wireshark Capture Filter Using Offset
Next by thread: Re: [Wireshark-users] Wireshark Capture Filter Using Offset
Index(es):
- Date
- Thread