On Oct 8, 2009, at 3:59 AM, <peter.ki...@orf.at> <peter.ki...@orf.at>
wrote:
1.)
I'd urgently need help/advice of how the following filter string has
to
be to be set as winpcap filter-string:
I can't find any working string for the protocols. "eth src
00:0e:0C:76:86:5e" is working.
Thanks for any reply and help
My filter in wireshark:
((eth.src ==
00:0e:0c:76:86:5e)&&!(frame.protocols=="eth:llc"))&&!
(frame.protocols="e
th:ans")
"frame.protocols" doesn't have any direct equivalent in libpcap - the
filtering is done by a *much* simpler engine, which doesn't do full-
blown dissection, as Wireshark does.
Why are you using "frame.protocols"? Why not use, for example:
(eth.src == 00:0e:0c:76:86:5e) && !llc && !ans
*That* would translate to
(eth src 00:0e:0C:76:86:5e) and (ether[12:2] >= 1500) and (not ether
proto 0x886d)
("!llc" means, on Ethernet, that the traffic is either regular
Ethernet traffic with the type/length field being a type - that means
"larger than 1500" - or Novell's old IPX-on-Ethernet-with-no-LLC, but
I'm ignoring the latter for now.)
2.)
Could someone tell me, how to reassemble Netbios Datagrams
protocol:DCERPC?
How does wireshark and co. know, the amount of frames, total size....
See
http://www.opengroup.org/onlinepubs/009629399/
for the DCE RPC specifications; in particular, see
http://www.opengroup.org/onlinepubs/009629399/chap12.htm#tagcjh_17_05
for the datagram version of DCE RPC, and the "fragnum" field and the
"frag" and "lastfrag" bits.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
