Wireshark-users: Re: [Wireshark-users] Wireshark Capture Filter Using Offset
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 19 Jul 2010 23:37:20 -0700
On Jul 19, 2010, at 2:27 PM, George E Burns wrote:

> I have a question regarding "capture" filters.  Specifically, I need to write a low level filter that will capture dynamic DNS update packets containing the opcode value of 0x05.  I know what the offset value is (0x2C and 0x2D) in the payload, but apparently I am missing something when trying to understand the correct "tcp dump" syntax to use as part of the capture filter in Wireshark.   
> 
> Capture Filter:         udp[2c] == 28 and udp[2d] == 00 

Numbers in capture filters are, by default, *decimal*, not *hexadecimal*, so "udp[2c]" is illegal.  To look at the byte at an offset of 0x2c = 44 from the beginning of the UDP header, you need to look at udp[0x2c] or udp[44].

However, the opcode value doesn't take an entire byte, so you need to use a mask.

Also, the comparison-for-equality operator in capture filters is =, not ==.

The UDP header is 16 bytes, so you have to add 16 to the offset from the beginning of the DNS header.  The opcode is in the byte at an offset of 3 from the beginning of the DNS header, so that's an offset of 19 (which is *NOT* 0x2C!), so the filter would be

	udp port domain and (udp[19] & 0x78) = 0x50

if you want to capture all DNS-over-UDP packets with an opcode of 5.  (DNS-over-TCP is left as an exercise for the reader.)