On Sun, Aug 11, 2002 at 07:05:28PM +0800, Iain McAleer wrote:
> i'm just wondering if pcap has any facilities to check if DF is set or if
> certain bits in headers are set or not?
The only facilities it has to do that are the facilities offered by
filters, by using the
expr relop expr
True if the relation holds, where relop is
one of >, <, >=, <=, =, !=, and expr is an
arithmetic expression composed of integer
constants (expressed in standard C syntax),
the normal binary operators [+, -, *, /, &,
|], a length operator, and special packet
data accessors. To access data inside the
packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp,
tcp, udp, or icmp, and indicates the proto-
col layer for the index operation. The byte
offset, relative to the indicated protocol
layer, is given by expr. Size is optional
and indicates the number of bytes in the
field of interest; it can be either one,
two, or four, and defaults to one. The
length operator, indicated by the keyword
len, gives the length of the packet.
For example, `ether[0] & 1 != 0' catches all
multicast traffic. The expression `ip[0] &
0xf != 5' catches all IP packets with
options. The expression `ip[6:2] & 0x1fff =
0' catches only unfragmented datagrams and
frag zero of fragmented datagrams. This
check is implicitly applied to the tcp and
udp index operations. For instance, tcp[0]
always means the first byte of the TCP
header, and never means the first byte of an
intervening fragment.
feature of the capture filter language.
It does not include any code to do packet dissection of the type that a
network analyzer program such as tcpdump does (it's a capture library,
not a dissection library).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
