Frank Bulk wrote:
> Now, to take it one step farther, I need to apply that capture filter to the
> client field (labeled in the display filter 'bootp.hw.mac_addr').
> Is that possible in a capture filter? And if you're going to ask if the
> offset from the start of the packet is consistent, it's not.
>
Offsets can be computed based on the values in other fields:
expr relop expr
True if the relation holds, where relop is one of
>, <,
>=, <=, =, !=, and expr is an arithmetic
expression com-
posed of integer constants (expressed in standard
C syn-
tax), the normal binary operators [+, -, *, /, &,
|, <<,
>>], a length operator, and special packet data
acces-
sors. Note that all comparisons are unsigned, so
that,
for example, 0x80000000 and 0xffffffff are >
0. To
access data inside the packet, use the following
syntax:
proto [ expr : size ]
I.e., it says "expr" in "proto[expr:size]", which means the offset in
"proto[expr:size]" can be an arbitrary expression.
Figuring out the the right expression is left as an exercise for the
reader. (If it involves a loop, however, forget it - the offset
*eventually* has to be based on values at a fixed offset from, for
example, the beginning of the UDP payload. Fortunately, the UDP header
is fixed-length....)
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
