[Winpcap-users] matching packets based on the content

Guy Harris guy at alum.mit.edu
Thu May 10 18:54:31 GMT 2007

McDouglas wrote:

> I have read in the winpacap manual that pcap_compile() can be used to 
> filter the packets. However, something was not clear to me.
> Is it possible to filter packets based on the content of the packet? 
> (not the link header) Say, for example, match every tcp packet which 
> hold data starting with 01 B2 hex values?

Somebody asked that question on the tcpdump-workers mailing list; 
Jefferson Ogata gave the answer there:

> If by "the data" you mean the TCP payload, yes.
> tcp[((tcp[12:1] & 0xf0) >> 2):2] = 0x011b
> The high nybble of tcp[12:1] is the number of 32-bit words in the TCP
> header. So tcp[12:1] >> 2 (the & 0xf0 is perhaps a no-op in the example
> expression, but is there for clarity) gives you the actual size of the
> TCP header. The payload thus begins at tcp[tcp[12:1] >> 2].
> You can do similar machinations for UDP or what have you.

More information about the Winpcap-users mailing list