This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I have a capture of ethernet traffic. Now, I want to sift thru and display the packets and find those that have a certain keyword as well as a specific character (in hex) in say the 14th position of the ethernet packet(s). The keyword I am looking for can be found by the frame contains clause - how do I find the offset into the ethernet packet at the 14th position ?

Thanks in advance.

asked 21 Sep '10, 13:45

codie9002's gravatar image

codie9002
1222
accept rate: 0%

1

By "14th position" do you mean "the last byte of the Ethernet header", e.g.:

Ethernet destination: 00:01:02:03:04:05 = the 1st through the 6th position; Ethernet source: 05:04:03:02:01:00 = the 7th through the 12th position; Ethernet type/length: 08:00 = the 13th and the 14th position;

in which case see Laura's answer, or do you mean "the first byte of the Ethernet payload", i.e., that, in the example there, the Ethernet destination is the 0th through the 5th position, etc. (i.e., zero-origin), in which case it'd be "frame[14:1] = 00"?

(06 Oct '10, 16:36) Guy Harris ♦♦

frame[13:1] == 00

Count into the frame starting at zero (so "13" means you are interested in the 14th byte) and look for a single byte equal to 0x00 (in this exacmple).

That's kinda weird to be looking at the 14th byte as it will likely be either 0x00 or 0x06 (as in 0x0800 or 0x0806 for IP and ARP respectively). Just a note there.

permanent link

answered 21 Sep '10, 16:24

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×205
×87
×13
×1

question asked: 21 Sep '10, 13:45

question was seen: 11,908 times

last updated: 06 Oct '10, 16:36

p​o​w​e​r​e​d by O​S​Q​A