# tcpdump len filter



## bzk (Jan 7, 2016)

Hello all,

I am trying to do a tcpdump(1) filter like below. The idea is to filter all ethernet frames and where the frame ends as I understand keyword lenhas the total length of the captured packet, subtracts 85 positions and compare it byte is equal to hex 0x2.

Does anybody know what am I doing wrong as tcpdump(1) does not complain when executing that command, but the filter when attached to my C program does not work I am attaching that code with setsockopt(2) SO_ATTACH_FILTER


```
sudo tcpdump 'ether [ len ] - 85 = 0x2' -dd
{ 0x80, 0, 0, 0x00000000 },
{ 0x7, 0, 0, 0x00000000 },
{ 0x50, 0, 0, 0x00000000 },
{ 0x14, 0, 0, 0x00000055 },
{ 0x54, 0, 0, 0x000000ff },
{ 0x15, 0, 1, 0x00000002 },
{ 0x6, 0, 0, 0x0000ffff },
{ 0x6, 0, 0, 0x00000000 },
```


Thanks!


----------



## bzk (Jan 7, 2016)

Hi all, 

I just figured out, the answer to my own question, I am posting it if anybody would like to learn what I did to solve my issue. This will get the captured packet length, store it in tcpdump's keyword len go back 85 positions (in bytes) and compare if position len - 85 is equal to hex 0x2.



```
sudo tcpdump 'ether [ (len)-85 ] & 0xff = 0x2' -dd


{ 0x80, 0, 0, 0x00000000 },
{ 0x14, 0, 0, 0x00000055 },
{ 0x7, 0, 0, 0x00000001 },
{ 0x50, 0, 0, 0x00000000 },
{ 0x54, 0, 0, 0x000000ff },
{ 0x15, 0, 1, 0x00000002 },
{ 0x6, 0, 0, 0x0000ffff },
{ 0x6, 0, 0, 0x00000000 },
```

This would do it!

PST:
There are no tcpdump(1) examples out there using len, at least I did not find them.


----------

