Results 1 to 5 of 5
  1. #1
    Junior Member
    Join Date
    Apr 2016
    Posts
    0

    Complete list of byte offsets for filtering with TCPDump

    After wandering the net for TCPDump papers I've found some quite good info for those dealing with large traffic log files; TCPDump Bit masking.
    Filtering with TCPDump using bit masking ends up to be a good practicing tool (and also very helpful) for those seeking a solid knowledge on tcpdump applicabillity.

    If you do a search about bitmasking you will find more information on this subject. Click Here for more info.

    Expressions
    Code:
    [x:y] start at offset x from the beginning of packet and read y bytes
    [x] abbreviation for [x:1]
    proto[x:y] start at offset x into the proto header and read y bytes

    p[x:y] & z = 0 p[x:y] has none of the bits selected by z
    p[x:y] & z != 0 p[x:y] has any of the bits selected by z
    p[x:y] & z = z p[x:y] has all of the bits selected by z
    p[x:y] = z p[x:y] has only the bits selected by z


    IP byte offsets
    Code:
    ip[0] & 0x0f - protocol version
    ip[0] & 0xf0 - protocol options
    ip[0] & 0xff00 - internet header length
    ip[1] - TOS

  2. #2

    Complete list of byte offsets for filtering with TCPDump

    Good information, thanks for sharing your research.

    Thanks for noting the source of the information as well.

  3. #3

    Complete list of byte offsets for filtering with TCPDump

    Excellent work, would you mind if I used it to help/teach other people that I work with. You will, of course, be fully credited.

    Once again, excellent work

  4. #4
    Junior Member
    Join Date
    Apr 2016
    Posts
    0

    Complete list of byte offsets for filtering with TCPDump


  5. #5

    Complete list of byte offsets for filtering with TCPDump

    Great job!

    I've passed the link to your posting on to my coworkers!

    Cheers,

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •