how to this Display filter syntax convert Capture filter syntax ip.hdr_len >= 20 asked 02 Oct '13, 05:41  stih edited 02 Oct '13, 08:50  cmaynard ♦♦ |
One Answer:
The following capture filter should give you what you asked for:
For more information on capture filter syntax, refer to the pcap-filter man page. They even provide the following very similar example: The expression answered 02 Oct '13, 08:48 cmaynard ♦♦ |
thank you for answer . i have one more question . please explain each part mean
ip[0]&0x0f >= 5
ip[0] is the first (well zeroeth) byte of the ip part of the frame. & means to do a bitwise AND operation, using 0xf (hexadecimal for binary 00001111) as the other operand. So the result of "ip[0] & 0xf" is just the lowest (rightmost) 4 bits. We then return true is the result is greater than or equal to 5. The 4 bit header length field is in units of 4 octets, and 4 x 5 = 20 (which is the length you were comparing for in the display filter string).
This question is starting to feel more and more like a homework assignment to me, because you obviously haven't read the pcap-filter man page. If you had, you would find your answer rather easily. And you might want to also reference RFC 791 to have a better understanding of the IP header fields.
Oops, sorry @cmaynard, I already converted his comment to a new question.
You made it too easy ;) Oh well.