Wireshark-users: Re: [Wireshark-users] Display Filter frame - how do that work?

From: Marco Simone Zuppone <msz@xxxxxx>
Date: Wed, 15 Dec 2010 14:35:20 +0000
Hello,
 
 
there is not a fix list. It depends what the frame contains.
So frame[282:3]  means only the take 3 bytes starting from the 282th byte...
 Regards,
Marco

On Wed, Dec 15, 2010 at 2:04 PM, Jürgen Dietl <juergen.dietl@xxxxxxxxxxxxxx> wrote:
Hello,

today I made a trace and I wanted to see all the DHCPNAK.

For this I found a filter:

frame[282:3] == 35:01:06

It works perfect. But my question is how is this filter defined.

For example frame[282:3] == 35:01:02 would be DHCPOFFER.

So {282:3] must be then DHCP. But how is that defined? Is that an offset? some bit? just a fix list?

and what is 35:01:06.


Any help would be greatly appreciated.

thanx a lot and have a nice day,

cheers,
Juergen


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe