[Winpcap-users] Re: filtering with data criteria
Guy Harris
guy at alum.mit.edu
Tue Jun 27 17:23:10 GMT 2006
joe kibz wrote:
> I need to create a filter expression .
> The criteria is :
> protocol = UDP
> contains data = "blahblahblah"
> only
>
> How does the filter expression look like ? The manual says the format
> looks something like proto [expr : expr ]...
The two expressions are offsets and lengths.
I.e., there's no "contains" operator. There are only operators that let
you test specific 1-byte, 2-byte, or 4-byte values at specific offsets.
The offset is relative to the beginning of the header for the protocol
in question. Fortunately, UDP packets have a fixed-length UDP header,
so the offset of the first byte of UDP payload relative to the beginning
of the UDP header is a constant.
More information about the Winpcap-users
mailing list