Guy, Thanks for the response. By HTTP text/plain packet I just mean that to see this packet in Wireshark i use http.content_type == "text/ plain" && tcp.port == 80. The ASCII value is offset 32 bytes after the beginning of the TCP headers according to Wireshark (here's the packet I'm trying to filter: http://img15.imageshack.us/img15/7955/picture1xpp.png ).
> In other words, if you capture with Wireshark on en1 with the filter > > src port 80 && tcp[32:4] = 0x666F7220 > > you see no traffic, but if you capture with tcpdump on en1 with the > same filter, you don't? Sorry, I wasn't clear in that last part. What I meant was, using Wireshark I found that the packet coming to my Mac had the same format as the packet coming to my Linux machine, so it should be filtering it the same way. But my program was not doing so. So, to double check the filter, I used tcpdump and sure enough, it passed on through, confirming that I had the right filter string. On Apr 16, 2009, at 7:46 PM, Guy Harris wrote: > > On Apr 16, 2009, at 2:04 PM, [email protected] wrote: > >> I have been working on a program that will report when a HTTP text/ >> plain >> packet is sent over the network. > > What do you mean by "a HTTP text/plain packet"? > >> I am using libpcap 1.0 in this C++ >> program, using the function pcap_compile() as follows: >> >> pcap_compile(interface, &filter, "src port 80 && tcp[32:4] >> =0x666F7220", 1, >> mask) >> >> As you can see, after the regular TCP headers, I look for the ASCII >> value >> "for " > > To be precise, you're looking for the ASCII value "for " at an offset > that, for TCP segments with no TCP options, is 12 bytes past the end > of the TCP headers. > >> which has worked perfectly on my Linux box. However, when I compile >> on OS X, no packets are found. I used Wireshark to look at the >> packets on >> my MacBook, and sure enough, they should pass through the filter, >> but they >> don't. >> >> To see if I was really wrong, I ran tcpdump with the exact same >> filter >> >> tcpdump -i en1 "src port 80 && tcp[32:4] = 0x666F7220" >> >> This gave me results...so the filter is correct. > > In other words, if you capture with Wireshark on en1 with the filter > > src port 80 && tcp[32:4] = 0x666F7220 > > you see no traffic, but if you capture with tcpdump on en1 with the > same filter, you don't? > > Or did you just look at some other capture file with Wireshark? > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
