I have a capture of ethernet traffic. Now, I want to sift thru and display the packets and find those that have a certain keyword as well as a specific character (in hex) in say the 14th position of the ethernet packet(s). The keyword I am looking for can be found by the frame contains clause - how do I find the offset into the ethernet packet at the 14th position ?
Thanks in advance.
asked 21 Sep '10, 13:45
frame[13:1] == 00
Count into the frame starting at zero (so "13" means you are interested in the 14th byte) and look for a single byte equal to 0x00 (in this exacmple).
That's kinda weird to be looking at the 14th byte as it will likely be either 0x00 or 0x06 (as in 0x0800 or 0x0806 for IP and ARP respectively). Just a note there.
answered 21 Sep '10, 16:24