Reading 'GE' from tcp payload. Basically trying to ready GET for sake of keeping the filter short, using only 'GE' as it get the packet having GET keyword.
Blow Filter with Bit Shifting works fine
"tcpdump -r tcpdump.pcap -nta 'tcp[((tcp[12] >> 4) * 4):2] = 0x4745'"
but i am not sure why below one not working
tcpdump -r file.pcap -nta 'tcp[((tcp[12] & 0xf0 != 0) * 4):2] = 0x4745'
It will be a great help if someone can notify the problem. Thanks.
Your second one isn't working because you are masking off the low nibble of offset 12 and preserving the high nibble... which is correct.. but you aren't actually capturing its value.
Effectively, you have said this:
(tcp[12] & 0xf0 != 0)
That will produce a 1 or a zero as a true or a false. Next, you multiply that by 4... which will always work since the TCP header length will always be greater than zero... but it will now be looking for the "GE" letters at offset 4 in the TCP header... the start of the sequence number.
You can still use the 0xf0 mask, but you still need to divide it or shift it. For example:
(tcp[12] & 0xf0 >> 2)
Notice that I am taking advantage of the shift to avoid having to multiply by 4... Multiplying by 4 is equivalent to shifting left 2 bits. Since I would normally shift the 12th byte offset 4 bits, I'm saving a step.