Ethereal

Re: [Ethereal-users] capture filter question - how to use offsets
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: December 2005

 

Hansang Bae wrote:

The syntax is:

proto[byte offset:number of bytes to check] OPERATOR blah

so tcp[25]=23 ought to do it.

...except that the offset into the TCP header of the destination port is 2, not 25...

If you don't specify it, the default number of bytes
to read is 1 byte.

...and the length of the destination port is 2 bytes, so that's "tcp[2:2] = 23".

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.