Wireshark-users: [Wireshark-users] using offset to check any byte in the whole ether-frame
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Julio Talaverano <delaflota@xxxxxxxxx>
Date: Thu, 21 Nov 2013 07:02:58 -0800 (PST)
Hi,

as far as I saw up to now offsets can only be used on specific fields like ip, tcp, eth.src and such.

I'd like to do something like:
etherframe[1410:2] == 20:f1 for example.

What I wanted to check for is the hostname a dns request asked for and the related icmp port unreachable
error messages which also include the hostname in their load behind the icmp header.

Or even the ip identification field in both, the ip packet and in the load of the icmp error message, as above.

This way I'd like to know how long our proxies keep asking the same name server
for the resolution of the same hostname after reception of the port unreachable error message.

Any hint?

Thanks