FAQ Database Discussion Community

How to filter STUN packets by Message Transaction ID in wireshark

I am using Wireshark Network Protocol Analyzer 1.12.2 (Os: Windows). Is it possible to filter stun packets by Message Transaction ID from tcpdump using this software? Thanks in advance.

Are Berkeley Packet Filter opcode values implementation defined?

Are Berkeley Packet Filter opcode values implementation defined? I always thought of tcpdump/libpcap as authoritative in the BPF arena. I noticed that the linux kernel and tcpdump read BPF filters differently. The BPF mnemonics and behavior is the same, but the actual opcode values themselves seem different. I went looking...

ngrep - inverted port results

I'm curious if ngrep can do inverted matched based on ports? I've tried something along the lines of: ngrep -d any -v port 22 interface: any filter: ( port 22 ) and (ip or ip6) And although it says the filter is for 'port 22', it doesn't pick up any...

How to read a pcap file and save the data using cli?

I can write a program which does it, but actually, is there a way to do it in one liner from cli? I don't care about the time it takes, I prefer to have some standard solution instead of developing and to maintain my code. By data I mean everything...

redirecting awk output to file in bash

I am working on a bash script that captures beacon frame packets (without bad fcs) and output them in a preferred format, but I am having problem redirecting the outptut to a file. This is my command line when I am redirecting to a file called temp tcpdump -I -i...

Read libcap file with specific endianness

I wrote a c-lang program to read a .pcap file.What fogs me is that the data I read was with a different endianness as to WireShark. I'm working on X86 ach, as I can see, it's LittleEndian. So, can I read the .pcap file with BigEndian? How? Code fragments: /*...

Deconstructing BPF filter in TCPdump

Trying to deconstruct this TCPdump BPF style filter, and need some help: 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' Its taken from here Steps that have taken to better understand what is going on: 1. Lets convert the 0x47455420 to ascii ===> GET ===> tcp[((tcp[12:1] & 0xf0) >> 2):4] =...