This site was behind a Cloudflare proxy between September 22, 2016 and February 18th, 2017 and might be subject to sensitive information leaks. See this blog post for more details.


I would like to know who login on application and I see that by fltering the port 1100 and I have this type of line : TCP 55482 > mctp [PSH, ACK] Seq=1352 Ack=195886 Win=65656 Len=163 But there are too many lines with this filter I need to filter data for this string "LoginData" but not after, during the capture, to not have too much lines (270Mb for one hour, and I want to make statistics on one month).

Thx in advance

asked 11 Dec '12, 07:51

Pheslot's gravatar image

accept rate: 0%

Capture filters are based on BPF and are executed in kernel space for speed. BPF is a sort of virtual machine with a limited instruction set. To optimize for speed and to make sure it is impossible to end up in an infinite loop, there is no way in BPF to search for a specific string in the whole packet. It can only look for strings at specific offsets.

So unless the string "LoginData" is always at the same offset in a packet, there is no way to do this with BPF.

However, if the string "LoginData" is always at the start of the packet, the following packet-filter might just be your friend :-)

tcp[0:4]=0x4c6f6769 and tcp[4:4]=0x6e446174 and tcp[8:1]=0x61

answered 11 Dec '12, 10:28

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Hi SYN-bit,

Thank you but I'm not very familiar with that, what I can tell you it is that the whole packet is like that :

alt text

(12 Dec '12, 01:51) Pheslot

In this frame, the string LoginData starts at offset 0x006a. Since the packet looks like binary data (and not html for instance), it might just be that the string LoginData always starts at this offset. The filter would then become:

tcp[0x6a:4]=0x4c6f6769 and tcp[0x6e:4]=0x6e446174 and tcp[0x72:1]=0x61
(13 Dec '12, 15:28) SYN-bit ♦♦

I suggest to check ngrep.

This tools allows to search for strings in IP packets and if it finds the string, it will dump the content of the packet.

It does work on Linux and it should work on Windows.



answered 14 Dec '12, 10:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 14 Dec '12, 10:47

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 11 Dec '12, 07:51

Seen: 4,106 times

Last updated: 14 Dec '12, 10:47

p​o​w​e​r​e​d by O​S​Q​A