[Snort-users] TCPDUMP Filter don't work :(

counterping at ...5767... counterping at ...5767...
Wed Oct 9 11:19:07 EDT 2002


Hiya,

I have just started playing with filters within TCPDUMP and am a little 
confused ....

I do NOT want to log RTP traffic on my network, but want to log everything else.
RTP runs over UDP, The fist two bytes in the PAYLOAD are always the same (this 
is the RTP Header), and it has the hex value 80 and 04.

I have used the follwing filter to look at the first 2 bytes AFTER the UDP 
packet (byte 8 and 9), UDP packets are always 8 Bytes. (so it's kinda fooling 
the app)

"!udp[8] = 0x80 and udp[9] = 0x04"

And it doesn't work .... BUT what's really weird.....
if I remove the 'NOT' operator (!) it works just fine, capturing ALL the RTP 
traffic ONLY!

Any help would be really appreciated, I must be doing something real stupid.
Cheers
MC


----------------------------------------------------------
This message was sent using                 http://uk2.net
NEWS - CHEAPEST DEDICATED SERVERS IN THE WORLD -  25/month
FREE UK DIAL 0845 609 1370 - username uk2: - password: uk2
UK's FREE Domains, FREE Dialup, FREE Webdesign, FREE email






More information about the Snort-users mailing list