[Snort-users] TCPDUMP Filter don't work :(

Jim Cliver jim.c at ...3008...
Wed Oct 9 11:47:02 EDT 2002


Hello MC,

I would try specifying the filter in a single statement something like
udp[8:2] != 0x8004. Or you could add another ! character before the
second udp statement so that both are negated.

Hope this helps.
clive

counterping at ...5767... wrote:
> 
> Hiya,
> 
> I have just started playing with filters within TCPDUMP and am a little
> confused ....
> 
> I do NOT want to log RTP traffic on my network, but want to log everything else.
> RTP runs over UDP, The fist two bytes in the PAYLOAD are always the same (this
> is the RTP Header), and it has the hex value 80 and 04.
> 
> I have used the follwing filter to look at the first 2 bytes AFTER the UDP
> packet (byte 8 and 9), UDP packets are always 8 Bytes. (so it's kinda fooling
> the app)
> 
> "!udp[8] = 0x80 and udp[9] = 0x04"
> 
> And it doesn't work .... BUT what's really weird.....
> if I remove the 'NOT' operator (!) it works just fine, capturing ALL the RTP
> traffic ONLY!
> 
> Any help would be really appreciated, I must be doing something real stupid.
> Cheers
> MC
> 
> ----------------------------------------------------------
> This message was sent using                 http://uk2.net
> NEWS - CHEAPEST DEDICATED SERVERS IN THE WORLD -  25/month
> FREE UK DIAL 0845 609 1370 - username uk2: - password: uk2
> UK's FREE Domains, FREE Dialup, FREE Webdesign, FREE email
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list