[Winpcap-users] Filtering with BPF
Isara Anantavrasilp
isara.a at gmail.com
Mon Apr 14 13:39:12 GMT 2008
Hi,
Thanks a lot for the help.
The thread you forwarded me is indeed very helpful.
I was using this filter:
!(tcp[20:1] == "") && tcp && (tcp[12:1] == 50)) or (!(udp[8:1] == "") && udp)
(This one cannot handle TCP packets which are longer than 20 bytes but
can be easily modified so.)
The one in the
http://www.tcpdump.org/lists/workers/2005/11/msg00027.html seems to be
more feasible indeed.
Thanks again!
Cheers,
Isara Anantavrasilp
On Sat, Apr 12, 2008 at 8:19 PM, Guy Harris <guy at alum.mit.edu> wrote:
> Leonardo Barata wrote:
>
>
> > As far as I know no, they don't vary. They're always of the same size
> (ethernet + ip + tcp headers)
> >
>
> No. The Ethernet header is a fixed 14 bytes, but the IP and TCP headers
> can have options, so their length is variable.
>
> For IPv4, see http://www.tcpdump.org/lists/workers/2005/11/msg00027.html
> for an example of a capture filter to check for TCP packets without any
> payload.
>
More information about the Winpcap-users
mailing list