我正在寻找一种方法来过滤特定字节的流量。
我有一个使用wireshark
或捕获的流tcpdump
。现在它记录了太多内容,所以我想丢弃0x23
有效载荷中位于 42 位置的每个数据包。
有没有简单的方法可以做到这一点?我正在寻找gsmtap
,但任何具有任何协议的示例都应该可以。
答案1
tcpdump(1)
使用libpcap(3)
,它使用手册页中记录的过滤器语法pcap-filter(7)
。
您可能想要跳到该expr relop expr
部分以及方括号符号:
expr relop expr
True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and
expr is an arithmetic expression composed of integer constants (expressed in
standard C syntax), the normal binary operators [+, -, *, /, &, |, <<, >>], a
length operator, and special packet data accessors. Note that all compar-
isons are unsigned, so that, for example, 0x80000000 and 0xffffffff are > 0.
To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp,
udp, icmp, ip6 or radio, and indicates the protocol layer for the index oper-
ation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link
layer. radio refers to the "radio header" added to some 802.11 captures.)
Note that tcp, udp and other upper-layer protocol types only apply to IPv4,
not IPv6 (this will be fixed in the future). The byte offset, relative to
the indicated protocol layer, is given by expr. Size is optional and indi-
cates the number of bytes in the field of interest; it can be either one,
two, or four, and defaults to one. The length operator, indicated by the
keyword len, gives the length of the packet.
因此,例如,如果您想要过滤掉以太网 II 帧有效负载位置 42 处带有 0x23 的数据包,那么这将位于整个以太网帧的偏移量 56 处(您的偏移量 42 加上 14 字节的偏移量以越过以太网报头到达有效负载),因此您可以执行以下操作:
ether[56] != 0x23
我没有完全了解 gsmtap,所以我不能保证上述过滤器正是您所需要的,但它应该可以为您指明正确的方向。