Offset filters are filters in which you actually say, "Go to field x in the protocol header and check if the next y bytes equal to….".
These filters can be used in many cases in which a known string byte appears somewhere in the packet and you want to display packets that contain it.
To step through this recipe, you will need a running Wireshark software and a running capture; there are no other prerequisites. The general representation for offset filters is:
Protocols[x:y] == <value>
Here, x refers to the bytes from the beginning of the header and y refers to the number of bytes to check.
Examples for filters that use substring operators are as follows:
eth.dst[0:3] == 01:00:5e
(RFC 1112, section 6.4 allocates the MAC address space of 01-00-5E-00-00-00 to 01-00-5E-FF-FF-FF for multicast addressing)eth.dst[0:3] == 33:33:00
(RFC 2464, section 7 allocates the MAC address space that starts with 33-33 for multicast addressing)13.59.204.181