[Snort-sigs] Does anyone know how to check the urgent pointer (not the URG flag)?

Matthew Watchinski mwatchinski at ...435...
Fri Jul 16 09:26:23 EDT 2004

No rule keyword, but a BPF filter can be used on a collect binary or via 
snort command line.  Doing it on the command line will only capture the 
traffic provided by the filter and ignore the rest.

'tcp[18:2] != 0'

snort -vd 'tcp[18:2] != 0'


Joseph Gama wrote:

>I wanted to check the urgent pointer (offset 0x10) on
>a TCP packet. This is not the URG flag but the word
>after the checksum word in the packet. If you know it,
>please let me know.
>Thank you!
>Joseph Gama
>Do you Yahoo!?
>New and Improved Yahoo! Mail - 100MB free storage!
>This SF.Net email is sponsored by BEA Weblogic Workshop
>FREE Java Enterprise J2EE developer tools!
>Get your free copy of BEA WebLogic Workshop 8.1 today.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list