Wireshark · Wireshark-users: Re: [Wireshark-users] specifying > 4 byte offsets / capture filters

Wireshark-users: Re: [Wireshark-users] specifying > 4 byte offsets / capture filters

From: Stuart Kendrick <skendric@xxxxxxxxx>

Date: Mon, 08 Oct 2012 10:58:38 -0700

Correct.  For filter tests, it currently only generates BPF code where the data can be tested with a single comparison instruction, which means no more than 4 bytes (the BPF pseudo-machine is a 32-bit machine).

Can anyone think of a creative way to do the same thing?


arp and ((ether[22:4]==0x001e4f3d and ether[26:2]==0x4204) or (ether[32:4]==0x001e4f3d) and ether[36:2]==0x4204))


Ahh.  Thank you Guy,

--sk

References:
- [Wireshark-users] specifying > 4 byte offsets / capture filters
  - From: Stuart Kendrick
- Re: [Wireshark-users] specifying > 4 byte offsets / capture filters
  - From: Guy Harris

Prev by Date: Re: [Wireshark-users] specifying > 4 byte offsets / capture filters
Next by Date: Re: [Wireshark-users] Launching a new window from Display filters
Previous by thread: Re: [Wireshark-users] specifying > 4 byte offsets / capture filters
Next by thread: [Wireshark-users] detect p2p (torrent) traffic with console tshark
Index(es):
- Date
- Thread