On Wed, Jul 07, 2004 at 10:58:39AM +0300, Vasily Borovyak wrote: > Maybe it isn't about the header, maybe it's about the level of OSI model? I.e. > "ether" means only start point of array of bytes.
I doubt that. He said > I need to set the filter on Type field for ethernet frame and the type field for an Ethernet frame is at an offset of 12 from the beginning of the Ethernet frame. "ether", in "ether[21:2]==0xbbbb", refers to the Ethernet frame, so "ether[21:2]" means "the 2-byte big-endian quantity at an offset of 21 from the beginning of the Ethernet frame", which doesn't mean much of anything without knowing the Ethernet type of the frame, as that quantity is past the end of the Ethernet header and is thus in the Ethernet payload, the interpretation of which depends on the type in the Ethernet header. > GH> You'd want > GH> ether proto 0xbbbb > GH> to have a filter for frames with an Ethernet type of 0xbbbb. > > Ethereal accepts filter 'ether[21:2]==0xbbbb' (and > 'ether[21:2]=0xbbbb', and 'ip[7:2]==0xbbbb', and 'ip[7:2]=0xbbbb'), so > may be I'm right? Eh? Ethereal - and tcpdump, and other programs that use libpcap/WinPcap - accept filters of that sort, but that just means that you can filter on the contents of data at arbitrary offsets from the beginning of the packet. ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
