FAQ Database Discussion Community

Are Berkeley Packet Filter opcode values implementation defined?

Are Berkeley Packet Filter opcode values implementation defined? I always thought of tcpdump/libpcap as authoritative in the BPF arena. I noticed that the linux kernel and tcpdump read BPF filters differently. The BPF mnemonics and behavior is the same, but the actual opcode values themselves seem different. I went looking...

redirecting awk output to file in bash

I am working on a bash script that captures beacon frame packets (without bad fcs) and output them in a preferred format, but I am having problem redirecting the outptut to a file. This is my command line when I am redirecting to a file called temp tcpdump -I -i...

How to read a pcap file and save the data using cli?

I can write a program which does it, but actually, is there a way to do it in one liner from cli? I don't care about the time it takes, I prefer to have some standard solution instead of developing and to maintain my code. By data I mean everything...

Deconstructing BPF filter in TCPdump

Trying to deconstruct this TCPdump BPF style filter, and need some help: 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' Its taken from here Steps that have taken to better understand what is going on: 1. Lets convert the 0x47455420 to ascii ===> GET ===> tcp[((tcp[12:1] & 0xf0) >> 2):4] =...

Read libcap file with specific endianness

I wrote a c-lang program to read a .pcap file.What fogs me is that the data I read was with a different endianness as to WireShark. I'm working on X86 ach, as I can see, it's LittleEndian. So, can I read the .pcap file with BigEndian? How? Code fragments: /*...

How to filter STUN packets by Message Transaction ID in wireshark

I am using Wireshark Network Protocol Analyzer 1.12.2 (Os: Windows). Is it possible to filter stun packets by Message Transaction ID from tcpdump using this software? Thanks in advance.

ngrep - inverted port results

I'm curious if ngrep can do inverted matched based on ports? I've tried something along the lines of: ngrep -d any -v port 22 interface: any filter: ( port 22 ) and (ip or ip6) And although it says the filter is for 'port 22', it doesn't pick up any...