Folks, My first exposure to pcap was through the program snort. Being a C/C++ Windows programmer, I would like to have a bit more control over the info I would like to capture. Thus I am now looking into pcap as the engine for my packet capture program.
The only thing I am scratching my head about is the filtering. I need to filter based on content, the first two bites of the packet, not the addr or even port. Can I create a rule for pcap that will filter based on content? The first two bits are 2Ah 02h. The other thing I need a bit of help with is the flags. I understand the basics, but I have never done any heavy dude IP programming. The snort rule I have contains "flags:AP+". From looking at the snort docs, that means ACK, PSH, and "ALL flag, match on all specified flags plus any others". Would not simply have a + get the same thing done? Sam - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
