[Snort-users] TCPDUMP Filter don't work :(

Phil Wood cpw at ...440...
Wed Oct 9 11:52:01 EDT 2002


Try "not \( udp[8] = 0x80 and udp[9] = 0x04 \)"

On Wed, Oct 09, 2002 at 07:23:05PM +0000, counterping at ...5767... wrote:
> 
> Hiya,
> 
> I have just started playing with filters within TCPDUMP and am a little 
> confused ....
> 
> I do NOT want to log RTP traffic on my network, but want to log everything else.
> RTP runs over UDP, The fist two bytes in the PAYLOAD are always the same (this 
> is the RTP Header), and it has the hex value 80 and 04.
> 
> I have used the follwing filter to look at the first 2 bytes AFTER the UDP 
> packet (byte 8 and 9), UDP packets are always 8 Bytes. (so it's kinda fooling 
> the app)
> 
> "!udp[8] = 0x80 and udp[9] = 0x04"
> 
> And it doesn't work .... BUT what's really weird.....
> if I remove the 'NOT' operator (!) it works just fine, capturing ALL the RTP 
> traffic ONLY!
> 
> Any help would be really appreciated, I must be doing something real stupid.
> Cheers
> MC
> 
> 
> ----------------------------------------------------------
> This message was sent using                 http://uk2.net
> NEWS - CHEAPEST DEDICATED SERVERS IN THE WORLD -  25/month
> FREE UK DIAL 0845 609 1370 - username uk2: - password: uk2
> UK's FREE Domains, FREE Dialup, FREE Webdesign, FREE email
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list