Hello Guy, >> I know i need to use pcap_compile() method and third >> parameter is char *. As i read in filtering >> expression syntax i see 'proto [ expr : size ]'. >> How do i use this something like like >> 'ether[21:2]==0xbbbb'. Is this correct ?
GH> No, because the Ethernet header is only 14 bytes long, so "ether[21:2]" GH> isn't part of the Ethernet header. Maybe it isn't about the header, maybe it's about the level of OSI model? I.e. "ether" means only start point of array of bytes. Correct me... GH> You'd want GH> ether proto 0xbbbb GH> to have a filter for frames with an Ethernet type of 0xbbbb. Ethereal accepts filter 'ether[21:2]==0xbbbb' (and 'ether[21:2]=0xbbbb', and 'ip[7:2]==0xbbbb', and 'ip[7:2]=0xbbbb'), so may be I'm right? -- i! ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
