On 2007-05-10 17:41, McDouglas wrote: > Is it possible to match packets based on the data content? Say, for > example match only packets with the first two bytes of the data being > (hex) 01 1B ?
If by "the data" you mean the TCP payload, yes. tcp[((tcp[12:1] & 0xf0) >> 2):2] = 0x011b The high nybble of tcp[12:1] is the number of 32-bit words in the TCP header. So tcp[12:1] >> 2 (the & 0xf0 is perhaps a no-op in the example expression, but is there for clarity) gives you the actual size of the TCP header. The payload thus begins at tcp[tcp[12:1] >> 2]. You can do similar machinations for UDP or what have you. -- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]> "Never try to retrieve anything from a bear."--National Park Service - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
