> > For example, take the following code:
> >
> > 0000 ff ff ff ff ff ff 00 40 68 1b 3d 26 00 60 ff ff .......@h.=&.`..
> > 0010 00 60 00 04 b0 b0 b0 b0 ff ff ff ff ff ff 04 52 .`.............R
> > 0020 b0 b0 b0 b0 00 40 68 1b 3d 26 04 52 00 02 03 63 .....@h.=&.R...c
> > 0030 45 53 49 31 37 38 35 31 32 36 00 00 00 00 00 00 ESI1785126......
> > 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 0060 00 00 00 00 00 40 68 1b 3d 26 40 0b 00 01 .....@h.=&@...
By the way, that looks like an 802.3 packet with:
destination address ff:ff:ff:ff:ff:ff (broadcast)
source address 00:40:68:1b:3d:26
packet length hex 0060 (96)
with a payload beginning with 0xffff, i.e. a NetWare Ethernet_802.3 IPX
packet. In fact, after text2pcapifying it, it's a Service Advertisement
Protocol packet, and the b0b0b0b0 at an offset of 20 is the destination
network field in the IPX header.
However, libpcap doesn't know enough IPX to let you check for that
conveniently.
You might, however, want to try the filter
ipx and link[26:4] = 0xb0b0b0b0
just to make sure it doesn't check non-IPX packets, if what you *really*
want is to capture IPX packets sent to b0b0b0b0 as the destination
network.
