Getting ready

To configure byte offset and payload matching filters, start Wireshark and follow the instructions in the Configuring capture filters recipe at the beginning of this chapter.

String matching filters check a specific string in the packet header. We can configure them in two ways:

proto [Offset:bytes], where offset is the number of bytes from the beginning of the protocol header. For example, ip[8:1] checks byte number 9 of the IP header, and tcp[8:2] checks bytes 9-10 of the TCP header.
Proto [byte], where the byte indicates the byte number to check from the beginning of the protocol. For example, ip[8] will also check byte number 9 of the IP header.

With this filter, we can create filters for strings over IP, TCP, and UDP. For payload matching filters, remember also that:

proto[x:y] & z = 0: This matches bits set to 0 when applying mask z to proto[x:y]
proto[x:y] & z !=0: Some bits are set to 1 when applying mask z to proto[x:y]
proto[x:y] & z = z: All bits are set to z when applying mask z to proto[x:y]
proto[x:y] = z: proto[x:y] has the bits set exactly to z

Table of Contents for Getting ready

Create new playlist

Sign In

Sign Up

Table of Contents for
Getting ready