[Bro] signature header

Jean-Philippe Luiggi jp.luiggi at free.fr
Wed Oct 24 08:28:08 PDT 2007

On Wed, Oct 24, 2007 at 01:23:36PM +0100, Research Team wrote:
> Hi all  
> Can someone help me with this header? 
> header ip[16:4]
> I don't get it? What does it mean. I have read the manual but was not very
> helpful


Speaking of pure tcpdump/libpcap definitions, we want to use 4 octets from
position 16 in the ip header.

And in this case, it seems to be the ip destination address.

See http://en.wikipedia.org/wiki/IPv4/Header

Please note taht iounting is done from '0' 

With regards,


More information about the Bro mailing list