On Jan 10, 2005, at 1:03 PM, Rob Henningsgard wrote:
Why wouldn't you just look at the packet length, and discard any with lengths of sixty bytes or less?
...on Ethernet, at least. On other networks, the number might be different (as the link-layer header has a different length, and as there wouldn't be the same padding to a minimum length).
A more precise filter would fetch the IP total length, subtract the IP and TCP header lengths, and save only packets where the result is greater than zero; fetching those lengths would be done with the ip[offset:len] and tcp[offset:len] syntax, and doing the appropriate shifting and masking, as per the "expr relop expr" part of the section of the tcpdump manual page describing filter expressions. (Determining the expression to be used is left as an exercise to the reader.)
However, checking for a length > 60 is probably close enough on Ethernet. It might catch some TCP segments with a small amount of data (14+20+20+6 = 60, so, for example, TCP segments with up to 6 bytes and no IP or TCP options would be captured), but that's probably better than *not* capturing TCP segments that *do* have data.
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[email protected]/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
