I am trying to create a capture filter for a DNS request. I can match the hex but specific payload pattern changes places. udp[18:4]=0x* or udp[19:4]=0x* or udp[20:4]=0x** can I match specific payload at several packet/locations using a easier capture expression? perhaps rex? Can anyone help me please ? Thanks you. asked 23 Jan '17, 08:07  Oskarino |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
There was a gorgeous talk (https://youtu.be/DS4j9pwVuog) by Sake at Sharkfest explaining BPF (capture filter) in detail. The presentation is also available (https://sharkfest.wireshark.org/assets/presentations16/13.pdf).
Maybe this helps.