在给定位置对给定字节进行 tcpdump 过滤

在给定位置对给定字节进行 tcpdump 过滤

我正在寻找一种方法来过滤特定字节的流量。

我有一个使用wireshark或捕获的流tcpdump。现在它记录了太多内容,所以我想丢弃0x23有效载荷中位于 42 位置的每个数据包。

有没有简单的方法可以做到这一点?我正在寻找gsmtap,但任何具有任何协议的示例都应该可以。

答案1

tcpdump(1)使用libpcap(3),它使用手册页中记录的过滤器语法pcap-filter(7)

您可能想要跳到该expr relop expr部分以及方括号符号:

expr relop expr
       True if the relation holds, where relop is one of >, <, >=, <=,  =,  !=,  and
       expr  is an arithmetic expression composed of integer constants (expressed in
       standard C syntax), the normal binary operators [+, -, *, /, &, |, <<, >>], a
       length  operator,  and  special packet data accessors.  Note that all compar-
       isons are unsigned, so that, for example, 0x80000000 and 0xffffffff are >  0.
       To access data inside the packet, use the following syntax:
            proto [ expr : size ]
       Proto  is  one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp,
       udp, icmp, ip6 or radio, and indicates the protocol layer for the index oper-
       ation.   (ether,  fddi,  wlan,  tr,  ppp, slip and link all refer to the link
       layer. radio refers to the "radio header" added  to  some  802.11  captures.)
       Note  that  tcp, udp and other upper-layer protocol types only apply to IPv4,
       not IPv6 (this will be fixed in the future).  The byte  offset,  relative  to
       the  indicated  protocol layer, is given by expr.  Size is optional and indi-
       cates the number of bytes in the field of interest; it  can  be  either  one,
       two,  or  four,  and  defaults to one.  The length operator, indicated by the
       keyword len, gives the length of the packet.

因此,例如,如果您想要过滤掉以太网 II 帧有效负载位置 42 处带有 0x23 的数据包,那么这将位于整个以太网帧的偏移量 56 处(您的偏移量 42 加上 14 字节的偏移量以越过以太网报头到达有效负载),因此您可以执行以下操作:

ether[56] != 0x23

我没有完全了解 gsmtap,所以我不能保证上述过滤器正是您所需要的,但它应该可以为您指明正确的方向。

相关内容