I.e., what you mean is not "I have been working on a program that will
report when a HTTP text/plain packet is sent over the network.", but
"I have been working on a program that will report when a very
particular packet is sent over the network." - the program won't
report all HTTP replies with a text/plain body, it will all report TCP
segment packets with "for " at a particular offset in them.
Yes, exactly, that's what I meant sorry.
Does your program capture that packet, along with other packets, if
you don't do any filtering?
Yep. I re-wrote my program and filtered only port 80 and found the
usual Internet traffic, along with my "for " packets. Which is why I
didn't think it was my code, but I suppose that's what it has to be.
I'll ask on tcpdump-workers, unless you have any other ideas first?
On Apr 16, 2009, at 9:11 PM, Guy Harris wrote:
On Apr 16, 2009, at 6:02 PM, Caleb Hearon wrote:
Thanks for the response. By HTTP text/plain packet I just mean that
to see this packet in Wireshark i use http.content_type == "text/
plain" && tcp.port == 80. The ASCII value is offset 32 bytes after
the beginning of the TCP headers according to Wireshark (here's the
packet I'm trying to filter: http://img15.imageshack.us/img15/7955/picture1xpp.png
).
I.e., what you mean is not "I have been working on a program that will
report when a HTTP text/plain packet is sent over the network.", but
"I have been working on a program that will report when a very
particular packet is sent over the network." - the program won't
report all HTTP replies with a text/plain body, it will all report TCP
segment packets with "for " at a particular offset in them.
Sorry, I wasn't clear in that last part. What I meant was, using
Wireshark I found that the packet coming to my Mac had the same
format
as the packet coming to my Linux machine, so it should be filtering
it
the same way. But my program was not doing so. So, to double check
the filter, I used tcpdump and sure enough, it passed on through,
confirming that I had the right filter string.
So this isn't an issue with Wireshark; the best list for discussing
programming with libpcap is tcpdump-workers@xxxxxxxxxxx - Wireshark
just happens to be one of the programs that uses libpcap, along with
tcpdump, snort, etc.. (The fact that the tcpdump list is also for
libpcap is historical - the same people developed tcpdump and libpcap,
and didn't bother setting up a separate list when they first split off
the low-level capture parts of tcpdump into a library.)
And, given that tcpdump sees the packet, the problem isn't with using
BPF filters, it's with some other aspect of your program.
Does your program capture that packet, along with other packets, if
you don't do any filtering?
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
