General questions, tricks, tips, and other things that are asked frequently and important to remember!
What is the difference between offset, distance, depth and within?
All content matches and modifiers start from the first byte of the payload. None of them will look in the header, that's all parsed and can be matched using other directives.
is how far to LOOK into the payload from the start of the payload.
is how far to SKIP from the LAST byte of the previous match before looking for the current match
is how far to SKIP into the packet from the beginning of the payload before looking for the current match
says only look in the NEXT x bytes AFTER the last byte of the last content match.
So offset and depth are from the start of payload and often used together, distance and within are similar but relevant to the last content match.
An example image made by Deapesh Misra:
- Diagram example:
Add your tips here.....
- 16 Feb 2009