Byte offset and payload matching filters come to provide us with a flexible tool for configuring self-defined filters (filters for fields that are not defined in the Wireshark dissector and filters for proprietary protocols). By understanding the protocols that we work with and understanding their packet structure, we can configure filters that will watch a specific string in the captured packets, and filter packets according to it. In this recipe we will learn how to configure these types of filters, and we will also see some common and useful examples of the subject.
To configure byte offset and payload matching filters, start Wireshark and follow the instructions in the Configuring capture filters recipe in the beginning of this chapter.
proto [Offset: bytes]
With this filter we can create filters for strings over IP, TCP, and UDP.
ip [Offset:Bytes]
tcp[Offset:Bytes]
Or udp[Offset:Bytes]
.The general structure of offset filter is:
proto [Offset in bytes from the start of the header : Number of bytes to check]
Common examples for string matching filters are:
(tcp[2:2] > 50 and tcp[2:2] < 100)
.Here we count two bytes from the beginning of the TCP header, and check the next two bytes to be lower than 100 and higher than 50.
tcp[14:2] < 8192
.Here we count two bytes from the beginning of the TCP header, and check the next two bytes (the window size) to be less than 8192.
There's a nice string-matching capture filter generator in http://www.wireshark.org/tools/string-cf.html
You can also see additional filters in the tcpdump
man pages:
tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
.tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net <localnet>
.ether[0] & 1 = 0 and ip[16] >= 224
.icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
.It doesn't always provide working results, but it might be a good place to start from.
3.147.46.58