[Winpcap-users] Filtering with BPF
Guy Harris
guy at alum.mit.edu
Sat Apr 12 18:19:52 GMT 2008
Leonardo Barata wrote:
> As far as I know no, they don't vary. They're always of the same size
> (ethernet + ip + tcp headers)
No. The Ethernet header is a fixed 14 bytes, but the IP and TCP headers
can have options, so their length is variable.
For IPv4, see http://www.tcpdump.org/lists/workers/2005/11/msg00027.html
for an example of a capture filter to check for TCP packets without any
payload.
More information about the Winpcap-users
mailing list