On Wed, Apr 11, 2001 at 03:48:23PM -0600, Henry, Brad ERM wrote:
> Hi, I'm currently using libpcap to compile some test filters which i've
> written using the syntax found in the tcpdump man page. I'm having problems
> using filters of the form
> `ip[12:4] = ip[16:4]` it's producing a compile error in libpcap (and
> tcpdump) when I try and use it. Other filters work fine, but the filters I
> made which use a byte offset : length comparison, im doing something wrong.
> Any ideas?
Which version of libpcap and tcpdump are you using, on what OS are you
using it, and on what network device type are you using it? With both
the tcpdump/libpcap that comes with FreeBSD 3.4 and with a recent
CVS-tree version of tcpdump/libpcap, that expression works:
% tcpdump -d 'ip[12:4] = ip[16:4]'
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 9
(002) ld [26]
(003) st M[1]
(004) ld [30]
(005) tax
(006) ld M[1]
(007) jeq x jt 8 jf 9
(008) ret #68
(009) ret #0
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
