Ethereal-users: Re: [Ethereal-users] EtherPeek equivalents in Ethereal (name table and offset fi
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
Guy Harris wrote:
Offset Filtering - In EtherPeek, you can define a filter based on an
offset anywhere within the packet. Looking at Ethereal, it seems as
though filtering is accomplished based on the protocols available in
the Filter Expression window (Analyze - Display Filters -
Expression... button). I see LLC listed, but I would like to filter
based on bytes further within the payload (I guess at the application
layer), for example only filter packets where offset 51 is equal to
24H. How can I do this?
If by "offset 51" you mean the offset from the beginning of the
packet, you can do it with
frame[51:1] == 24
With the "Add Expression" dialog, you can click on "Frame" in the
"Field name" list, click on "==" in the Relation list, put "51:1" in
the "Range" box (i.e., an offset of 51 and a length of 1), and put 24
in the "Value" list. If the length is greater than 1, the value is a
list of hexadecimal byte values, e.g.
frame[51:2] == 24:17
would compare the 2 bytes starting at byte 51 with hex 24 and hex 17,
respectively.
This is a terrific feature, but the notation seems quite un-intuitive to
me. The 'offset' and and 'length' values default to decimal notation and
the 'value' defaults to hex. From experimentation, the range values can
be specified with a leading '0x' to force hex. Why not make them all
default to the same notation (decimal) and allow the 0x to force hex?
Typically I would read both the range and the values from the hex dump
pane and wouldn't expect to have to use two different notations.
Bob S,
