Greg Helps wrote:
Screen redraws, mouse movements and keystrokes are all high priority
activities compared to something like printing. Therefore, the first two
bytes of the tcp data are not encrypted
Note that there's no guarantee that the first two bytes of a Citrix ICA
packet are the first two bytes of a TCP segment - TCP's a byte-stream
protocol, so a higher-level packet can be fragmented across TCP
segments, and a TCP segment can contain more than one ICA packet. As
such, matching on a particular byte after a TCP header isn't guaranteed
to match anything.
I'd like to filter by the first two bits of the second byte of the tcp
payload data. I am currently trying variations of the following display
filter :
(tcp[21] & 0xc0) == 0
This filter is rejected as invalid.
Capture filter, or display filter?
It is, confusingly enough, not a valid capture filter. A valid capture
filter would be
(tcp[21] & 0xc0) = 0
with "=", rather than "==", as the comparison operator. I'm tempted to
change that in libpcap, so that either "=" or "==" can be used.
As for display filters, there are two issues:
The first of which is that the constant operand of "&" must be a byte
string, i.e. a sequence of hex values separated by colons, so you have
to say "c0" rather than "0xc0" for a one-byte value.
The second of which is that, at least as I read the man page, that you
can't do something such as
(tcp[21] & c0) == 0
but you can do
!(tcp[21] & c0)
(Note also that those display and capture filters assume the TCP segment
has no TCP options.)
