[Winpcap-users] Filtering with BPF

Isara Anantavrasilp isara.a at gmail.com
Mon Apr 14 13:39:12 GMT 2008


Thanks a lot for the help.
The thread you forwarded me is indeed very helpful.
I was using this filter:

!(tcp[20:1] == "") && tcp && (tcp[12:1] == 50)) or (!(udp[8:1] == "") && udp)

(This one cannot handle TCP packets which are longer than 20 bytes but
can be easily modified so.)

The one in the
http://www.tcpdump.org/lists/workers/2005/11/msg00027.html seems to be
more feasible indeed.

Thanks again!

Isara Anantavrasilp

On Sat, Apr 12, 2008 at 8:19 PM, Guy Harris <guy at alum.mit.edu> wrote:
> Leonardo Barata wrote:
> > As far as I know no, they don't vary. They're always of the same size
> (ethernet + ip + tcp headers)
> >
>  No.  The Ethernet header is a fixed 14 bytes, but the IP and TCP headers
> can have options, so their length is variable.
>  For IPv4, see http://www.tcpdump.org/lists/workers/2005/11/msg00027.html
> for an example of a capture filter to check for TCP packets without any
> payload.

More information about the Winpcap-users mailing list