Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Hex Offset Needed

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 4 Mar 2010 07:54:50 +0100
Nope, you're not missing anything, I omitted something ;-)

Indeed rightshifting is a division, but I forgot to mention that in taking the upper 4 bits by anding with 0xf0, the result must first be devided by 16. So rightshifting 4 bits and then leftshifting two bits. Result: rightshifting 2 bits.



On 4 mrt 2010, at 06:17, Jehanzeb Khan wrote:

Hi Sake
 I hope all is well at your end. I was just wondering if shifting right would be division instead of multiplication? Or am i missing something?


From: Sake Blok <sake@xxxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Thu, March 4, 2010 2:42:29 AM
Subject: Re: [Wireshark-users] Hex Offset Needed

Or if your capturing device is capable of interpreting tcpdump style filters (or more accurately, BPF style filters), you could use:

tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] = 0x2030

Which in English would be: 
- take the upper 4 bits of the 12th octet in the tcp header ( tcp[12:1] & 0xf0 )
- multiply it by four ( (tcp[12:1] & 0xf0)>>2 ) which should give the tcp header length
- add 8 ( ((tcp[12:1] & 0xf0) >> 2) + 8 ) gives the offset into the tcp header of the space before the first octet of the response code
- now take two octets from the tcp stream, starting at that offset ( tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2]  )
- and verify that they are " 0" ( = 0x2030 )

Of course this can give you false positives, so you might want to add a test for "HTTP" and the start of the tcp payload with:

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450

resulting in the filter:

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 and tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):2] = 0x2030

A bit cryptic, but it works, even when TCP options are present (which would mess up a fixed offset into the tcp data).



On 3 mrt 2010, at 18:17, Abhijit Bare wrote:

Hi John,

Can you use "http/1.1" string as an indicator of response code? Only HTTP response packets have "http/1.1" or "http/1.0" (case can be upper) followed by a <space> followed by http response code (look for one digit). If you can parse this out while stream is coming in and that digit is "0", will that mean that you have found the packet? HTTP request also has "http/1.1", but there is generally no space and digit following it. Other traffic may not have the same pattern too.


On Tue, Mar 2, 2010 at 5:09 AM, Sheahan, John <John.Sheahan@xxxxxxxxxxxxx> wrote:

Good points Martin.


You’re right about there being no HTTP response code of 0.


The software that the web guys use to analyze the front end web traffic will put a “0” in if it finds a packet that has an http accept and for some reason the HTTP response code is missing or unreadable and these are the packets that I’m trying to capture however there is so much HTTP traffic on the web segment that my buffer fills up in seconds so I need to try and narrow it down with a filter.


The only things I have to go by are:


1.       Sometimes the HTTP Response code can’t be read.

2.       The problem seems to come from Safari browsers on MAC machines


Since the User Agent data comes after a variable length Accept field as you point out, wouldn’t be easier for me at this point to filter on just Accept messages? I think if I do it this way, it will take a good amount of time to fill up the buffer and I can look to the web admins to tell me when they see the error in their logs and match it up that way?


Thanks for the help




From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Martin Visser
Sent: Monday, March 01, 2010 9:53 PM

To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Hex Offset Needed




This is a bit tricky. Firstly I don't believe that there is a HTTP response code (or status code) with a value of "0"


Also the HTTP "User-Agent" is going to go out in the request, and is not seen in the response. So whatever you do needs to be "stateful" knowing that the response is associated with a particular requests.


Also I don't think there is a guarantee and on the "offset" in a packet where the response code will be and almost certainly not for the "User-Agent"  string as it usually preceded by the "Accept" string which is quite variable amongst browsers. 


However you can use the Wireshark "Packet Bytes" pane (usually at the bottom of the window) to see if you cand devise something that is a "good enough" filter to limit what you capture and then refine it further with Wireshark to do it properly.


Regards, Martin


On Tue, Mar 2, 2010 at 11:36 AM, Sheahan, John <John.Sheahan@xxxxxxxxxxxxx> wrote:

Another way for me  to track this problem down is for me to sniff all Safari browsers on MAC’s using HTTP coming into our webservers.


I will need to create a filter using the offset values for:


HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en)


Can anyone help me this together?






From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sheahan, John
Sent: Monday, March 01, 2010 5:38 PM
To: 'Community support list for Wireshark'
Subject: [Wireshark-users] Hex Offset Needed


I am trying to troubleshoot an HTTP problem where the StatusCode=0 in the HTTP header.

I need to capture packets containing this parameter but since I am doing it on a Netscout probe, I have no way to figure out the offset of this in a packet.


Can anyone tell me what hex offset I would need to put in as a filter to capture these packets?





Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>


Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>

Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>