>so as long as you're testing bytes at *fixed offset* from the beginning
>of the link-layer (e.g., Ethernet), network layer (e.g., IP), or
>transport layer (e.g., TCP) header, the libpcap filter syntax can handle
>it.
>
>Note, however, that the length of the TCP header is not necessarily
>fixed length, as it might have options, so if you want to, for example,
>filter based on the content of the TCP payload *and* you want it to
>handle TCP packets with options, you'd have to construct the BPF filter
>code yourself.
i'm not sure here...are you affirming or denying here, that the
following expression will select ssh traffic that contains data (eg,
not pure acks):
port 22 and tcp[(tcp[12]>>4)*4:4] > 0
regardless of the presence (or absence) of tcp options.
--
|-----< "CODE WARRIOR" >-----|
[EMAIL PROTECTED] * "ah! i see you have the internet
[EMAIL PROTECTED] (Andrew Brown) that goes *ping*!"
[EMAIL PROTECTED] * "information is power -- share the wealth."
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
