Wireshark-users: Re: [Wireshark-users] capture filter
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 28 Sep 2011 19:39:47 -0700
On Sep 28, 2011, at 7:18 PM, Andrej van der Zee wrote:
>> IPv4
>> ip[12:4] != ip[16:4]
>
> This seems to work indeed.
>
> Should I read this as "4 bytes from offset 12 != 4 bytes from offset
> 16", relative to the start of the IP-header?
Yes:
$ man pcap-filter
PCAP-FILTER(7) PCAP-FILTER(7)
NAME
pcap-filter - packet filter syntax
DESCRIPTION
pcap_compile() is used to compile a string into a filter program. The
resulting filter program can then be applied to some stream of packets
to determine which packets will be supplied to pcap_loop(), pcap_dis-
patch(), pcap_next(), or pcap_next_ex().
The filter expression consists of one or more primitives. Primitives
usually consist of an id (name or number) preceded by one or more qual-
ifiers. There are three different kinds of qualifier:
...
Allowable primitives are:
...
expr relop expr
True if the relation holds, where relop is one of >, <, >=, <=,
=, !=, and expr is an arithmetic expression composed of integer
constants (expressed in standard C syntax), the normal binary
operators [+, -, *, /, &, |, <<, >>], a length operator, and
special packet data accessors. Note that all comparisons are
unsigned, so that, for example, 0x80000000 and 0xffffffff are >
0. To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp,
rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol
layer for the index operation. (ether, fddi, wlan, tr, ppp,
slip and link all refer to the link layer. radio refers to the
"radio header" added to some 802.11 captures.) Note that tcp,
udp and other upper-layer protocol types only apply to IPv4, not
IPv6 (this will be fixed in the future). The byte offset, rela-
tive to the indicated protocol layer, is given by expr. Size is
optional and indicates the number of bytes in the field of
interest; it can be either one, two, or four, and defaults to
one. The length operator, indicated by the keyword len, gives
the length of the packet.
For example, `ether[0] & 1 != 0' catches all multicast traffic.
The expression `ip[0] & 0xf != 5' catches all IPv4 packets with
options. The expression `ip[6:2] & 0x1fff = 0' catches only
unfragmented IPv4 datagrams and frag zero of fragmented IPv4
datagrams. This check is implicitly applied to the tcp and udp
index operations. For instance, tcp[0] always means the first
byte of the TCP header, and never means the first byte of an
intervening fragment.
Some offsets and field values may be expressed as names rather
than as numeric values. The following protocol header field
offsets are available: icmptype (ICMP type field), icmpcode
(ICMP code field), and tcpflags (TCP flags field).
The following ICMP type field values are available: icmp-echore-
ply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo,
icmp-routeradvert, icmp-routersolicit, icmp-timxceed, icmp-
paramprob, icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ire-
qreply, icmp-maskreq, icmp-maskreply.
The following TCP flags field values are available: tcp-fin,
tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.
(On UN*Xes with pre-1.0 libpcaps, do "man tcpdump" and scan through it for that information.)
- Follow-Ups:
- Re: [Wireshark-users] capture filter
- From: Andrej van der Zee
- Re: [Wireshark-users] capture filter
- References:
- [Wireshark-users] capture filter
- From: Andrej van der Zee
- Re: [Wireshark-users] capture filter
- From: Tony Trinh
- Re: [Wireshark-users] capture filter
- From: Andrej van der Zee
- [Wireshark-users] capture filter
- Prev by Date: Re: [Wireshark-users] capture filter
- Next by Date: Re: [Wireshark-users] capture filter
- Previous by thread: Re: [Wireshark-users] capture filter
- Next by thread: Re: [Wireshark-users] capture filter
- Index(es):