Hi, > I'm trying to write a filter for a small pcap application. I need to > match by the tcp sequence number, as I'm only interested in packets > with sequence number 1. I know I can match by octet, using e.g. > tcp[13] == ???, but the sequence field is 4 octets (32-bit). How can > I match against this field?
tcp[4:4] should work. The manpage states that you can use expressions like >> proto [ expr : size ] in your match string. Regards, Jan - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
