> uses this example "tpc[20:4] = 0x48454C4F" is looking for the
you probably wanted to say tcp not tpc and == not =.
And the byte string literal should have been 48:45:4C:4F
> word "HELO"
> starting 20 bytes into the packet for a length of 4 bytes. I
> am trying to
> understand how I can determine the offset into the packet. I have an
> example of an "http" packet that is a "POST". From what I see in the
> capture the POST in the hex dump section and it is on the
> line that starts
> "0030" in the 6th column from the left. Should this be
> offset 36? POST
> like HELO is 4 bytes long so my filter should be "port 80 and
> ( tcp[36:4] =
> 0x504f5354 )". I know however that this is not matching the
> way as I have
> run several test and I get no matches on my filter.
If you ran this verbatim you should have gotten a syntax error.
Anyway, the simplest way to do what you want is to apply a filter
offsetting from the http block, like this:
http[0:4] == 47:45:54:20
(this would look for an HTTP GET, note the trailing space)
Trusting that your ASCIIfication of POST is correct (unless there's
another mistype there as well), the filter you're looking for is, perhaps,
http[0:5] == 50:4f:53:54:20
HTH,
Vassilii
