As Iain said, ngrep is good for this, but if you want to stick with tcpdump for whatever reason, you can do something like this: 'tcp[((tcp[12] & 0xf0) >> 0x4) * 4] == 97' as the filter
This is assuming you want to match the first byte of the TCP data portion...basically how it works is ((tcp[12] & 0xf0) >> 0x4) is the 4-bit header length of the tcp packet (the number of 32-bit words in the header), multiply that by 4 to get the actual number of bytes of the tcp header including options, and that will be the position of the first byte of the data portion in the tcp packet. 97 is the decimal of 'a' Example: root@laptop:/tmp# 3 ad a 97 root@laptop:/tmp# tcpdump -X 'tcp[((tcp[12] & 0xf0) >> 0x4) * 4] == 97' tcpdump: listening on dc0 09:59:41.650172 LOOPBACK.LucidX.com.1041 > LucidX.6667: P 1391466331:1391466339(8) ack 1284529882 win 16199 (DF) 0x0000 4500 0030 8ad8 4000 8006 6bdb 3fc7 c243 [email protected].?..C 0x0010 3fc7 c242 0411 1a0b 52f0 175b 4c90 5eda ?..B....R..[L.^. 0x0020 5018 3f47 a75f 0000 6162 6364 6566 670a P.?G._..abcdefg. Iain McAleer wrote: > you might want to look into ngrep, it has the features i beleive your > looking for. > > ----- Original Message ----- > From: "subramoni padmanabhan" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, June 07, 2002 12:09 PM > > > >>Hi, >> >> Is there any way to capture packets using tcpdump by specifying a >> > filter > >>which indexes into the payload region of the packet? For example, if i >>WANTED TCPDUMP TO CAPTURE PACKETS whose first byte of payload matches the >>character 'a', how would i GO ABOUT IT? Is there any way at all? if not, >>what would be an alternative? I hope I have made myself clear. Thanks. >> >> >> >>Subramoni Padmanabhan >>G-126, 700 woodland avenue >>Lexington, Kentucky 40508 >>Phone : 859 323 9405 >> >> >>_________________________________________________________________ >>Send and receive Hotmail on your mobile device: http://mobile.msn.com >> >>- >>This is the TCPDUMP workers list. It is archived at >>http://www.tcpdump.org/lists/workers/index.html >>To unsubscribe use >> > mailto:[EMAIL PROTECTED]?body=unsubscribe > > > - > This is the TCPDUMP workers list. It is archived at > http://www.tcpdump.org/lists/workers/index.html > To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe > > -- Samy Kamkar -- cp5 -- [EMAIL PROTECTED] LucidX.com / LA.pm.org / code.LucidX.com - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
