.distance, .within, .at, .startin

These modifiers allow:

Name

Description

.distance

Skip specified number of bytes (RANGE) from the start or from the last found block.

It has the following format:

.distance=<RANGE> [,<MODE>];

where <RANGE> --- integer starting from 0.

Optional parameters (<MODE>) will be detailed below.

For example, the next record specifies skipping 10 bytes from the start for the first template and from the last found block for the second and subsequent templates.

.distance=10;

Example of using optional parameters:

  • skip 10 bytes from the start:

    .distance=10, start;

  • skip 10 bytes from the last found template:

    .distance=10, match;

.within

Scan selected interval (RANGE) from the start or from the last found block (the pattern falls completely within the specified range).

It has the following format:

.within=<RANGE> [,<MODE>];

where <RANGE> --- integer starting from 1.

Optional parameters (<MODE>) will be detailed below.

For example, the next record specifies the search from the 1th to 10th byte from the start for the first template and from the last found block for the second and subsequent templates.

.within=10;

Example of using optional parameters:

  • the search from the 1st (from the start) to the 10th byte:

    .within=10, start;

  • the search within 10 bytes from the last found template:

    .within=10, match;

.startin

Scan selected interval (RANGE) from the start or from the last found block (for a match, only the beginning of the pattern can fall within the specified range).

It has the following format:

.startin=<RANGE> [,<MODE>];

where <RANGE> --- integer starting from 1.

Optional parameters (<MODE>) will be detailed below.

.at

Checking for presence of the template at the specified position.

Important! This modifier cannot be used with .distance and .within modifiers.

It has the following format:

.at=<RANGE> [,<MODE>];

where <RANGE> --- integer starting from 0.

Optional parameters (<MODE>) will be detailed below.

Optional parameters are provided in the table below:

Name

Description

start

Search from the beginning of data flow.

Important! It is default value for the first template.

packet

Scan from the beginning of the packet.

reverse

Search from the end of the packet (useful for Next Protocol checking in ESP).

match

Search from the last found template.

Important! It is default value for the second and subsequent templates.

lastmark

Scan from the last tag set using .mark pset.
Note If the optional parameter for .distance and .within modifiers has the same value, then the value of .within modifier is counted from the value of .distance modifier.

For example, the record

.distance=10,match; .within=5,match

specifies the search in the range from 10th to 15th byte from the last found template.