Wireshark mailing list archives
Re: Wireshark Capture Filter Using Offset
From: Guy Harris <guy () alum mit edu>
Date: Mon, 19 Jul 2010 23:51:07 -0700
On Jul 19, 2010, at 11:37 PM, Guy Harris wrote:
The UDP header is 16 bytes, so you have to add 16 to the offset from the beginning of the DNS header. The opcode is
in the byte at an offset of 3 from the beginning of the DNS header, so that's an offset of 19 (which is *NOT* 0x2C!),
so the filter would be
udp port domain and (udp[19] & 0x78) = 0x50
Sorry, that's
udp port domain and (udp[19] & 0x78) = 0x28
Caring about the query vs. response flag is left as an exercise for the reader.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark Capture Filter Using Offset George E Burns (Jul 19)
- Re: Wireshark Capture Filter Using Offset j.snelders (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset George E Burns (Jul 20)
- Re: Wireshark Capture Filter Using Offset Sake Blok (Jul 20)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 20)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 19)
- Re: Wireshark Capture Filter Using Offset George E Burns (Jul 20)
- Re: Wireshark Capture Filter Using Offset Guy Harris (Jul 20)
- Re: Wireshark Capture Filter Using Offset j.snelders (Jul 19)