Hi, I have a capture of ethernet traffic. Now, I want to sift thru and display the packets and find those that have a certain keyword as well as a specific character (in hex) in say the 14th position of the ethernet packet(s). The keyword I am looking for can be found by the frame contains clause - how do I find the offset into the ethernet packet at the 14th position ? Thanks in advance. asked 21 Sep '10, 13:45 codie9002 |
One Answer:
frame[13:1] == 00 Count into the frame starting at zero (so "13" means you are interested in the 14th byte) and look for a single byte equal to 0x00 (in this exacmple). That's kinda weird to be looking at the 14th byte as it will likely be either 0x00 or 0x06 (as in 0x0800 or 0x0806 for IP and ARP respectively). Just a note there. answered 21 Sep '10, 16:24 lchappell ♦ |
By "14th position" do you mean "the last byte of the Ethernet header", e.g.:
Ethernet destination: 00:01:02:03:04:05 = the 1st through the 6th position; Ethernet source: 05:04:03:02:01:00 = the 7th through the 12th position; Ethernet type/length: 08:00 = the 13th and the 14th position;
in which case see Laura's answer, or do you mean "the first byte of the Ethernet payload", i.e., that, in the example there, the Ethernet destination is the 0th through the 5th position, etc. (i.e., zero-origin), in which case it'd be "frame[14:1] = 00"?