[Winpcap-users] matching packets based on the content
Guy Harris
guy at alum.mit.edu
Thu May 10 18:54:31 GMT 2007
McDouglas wrote:
> I have read in the winpacap manual that pcap_compile() can be used to
> filter the packets. However, something was not clear to me.
>
> Is it possible to filter packets based on the content of the packet?
> (not the link header) Say, for example, match every tcp packet which
> hold data starting with 01 B2 hex values?
Somebody asked that question on the tcpdump-workers mailing list;
Jefferson Ogata gave the answer there:
> If by "the data" you mean the TCP payload, yes.
>
> tcp[((tcp[12:1] & 0xf0) >> 2):2] = 0x011b
>
> The high nybble of tcp[12:1] is the number of 32-bit words in the TCP
> header. So tcp[12:1] >> 2 (the & 0xf0 is perhaps a no-op in the example
> expression, but is there for clarity) gives you the actual size of the
> TCP header. The payload thus begins at tcp[tcp[12:1] >> 2].
>
> You can do similar machinations for UDP or what have you.
More information about the Winpcap-users
mailing list