One of the most powerful features of any protocol analyzer is the ability to capture or filter down to the byte or bit. This procedure goes by many names but all reference the words ‘Pattern Offset’ or ‘Data Offset.’
The word offset may seem a bit overwhelming, but the concept is very straightforward. You identify what you want to filter on which is referred to as the ‘data’ or ‘pattern.’ The second part is to determine where the data or pattern is in the packet, which is referred to the ‘offset.’
The offset can get a bit confusing since you need to pay attention to where you are starting your offset. This is based on which filter you decide to use. For example, you could start your offset from the Ethernet frame, IP, TCP, or UDP header.
In the video below, I walk you through how to configure a capture filter that will capture packets that have 180 as the last octet.
This same technique may be used to capture packets with specific application signatures, viruses, worms, and more. Try it out, and you will soon see that this isn't as complicated as you might think.