To configure byte offset and payload matching filters, start Wireshark and follow the instructions in the Configuring capture filters recipe at the beginning of this chapter.
String matching filters check a specific string in the packet header. We can configure them in two ways:
- proto [Offset:bytes], where offset is the number of bytes from the beginning of the protocol header. For example, ip[8:1] checks byte number 9 of the IP header, and tcp[8:2] checks bytes 9-10 of the TCP header.
- Proto [byte], where the byte indicates the byte number to check from the beginning of the protocol. For example, ip[8] will also check byte number 9 of the IP header.
With this filter, we can create filters for strings over IP, TCP, and UDP. For payload matching filters, remember also that:
- proto[x:y] & z = 0: This matches bits set to 0 when applying mask z to proto[x:y]
- proto[x:y] & z !=0: Some bits are set to 1 when applying mask z to proto[x:y]
- proto[x:y] & z = z: All bits are set to z when applying mask z to proto[x:y]
- proto[x:y] = z: proto[x:y] has the bits set exactly to z