[Winpcap-users] Filtering with BPF

Leonardo Barata w32.chess at gmail.com
Sat Apr 12 17:17:54 GMT 2008

On Fri, Apr 11, 2008 at 12:09 PM, Isara Anantavrasilp <isara.a at gmail.com>

> Hi,
> First of all, I hope the question is related to the list.
> I would like to screen out all packets without payloads from my trace
> files.
> That is, I want only the ones with payloads.
> I define payload as anything behind the TCP header which could be
> running over IPv4 and IPv6.
> Has anyone any idea what would be the perfect BPF filter syntax for
> such constraints?
> I am thinking about filtering len > something but would it be any problem?
> Can TCP or IP packet lengths be varied?
> Thanks a lot!
> Cheers,
> Isara Anantavrasilp
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users

As far as I know no, they don't vary. They're always of the same size
(ethernet + ip + tcp headers) so I think you can filter by the length of the
packet. To know the exact size of a tcp packet you could use a packet
sniffer ;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080412/12319226/attachment.htm

More information about the Winpcap-users mailing list