<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.5730.11" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>Please use some parentheses like this</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>(tcp and ip src host 192.168.1.1) || (tcp and ip dst host
192.168.1.1)</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>The "and" and "or" operator have equal precedence in the bpf
filtering language.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Have a nice day</FONT></DIV>
<DIV><FONT size=2>GV</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=cheng@ii-i.com href="mailto:cheng@ii-i.com">Zhiyuan Cheng</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, February 08, 2007 12:13
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Question about
Filter</DIV>
<DIV><BR></DIV>
<DIV><FONT face="Courier New" size=2>Hi, I want to configure winpcap to only
capture the packets between two machines, </FONT></DIV>
<DIV><FONT face="Courier New" size=2>with IP addresses, for example,
192.168.1.1 and 192.168.1.2</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>Winpcap is installed on machine
192.168.1.2, the filter string I used is</FONT></DIV>
<DIV><FONT face="Courier New" size=2>"tcp and ip src host 192.168.1.1 || tcp
and ip dst host 192.168.1.1"</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>But it seems that I only got packets sent
from 192.168.1.2 to 192.168.1.1, that is, </FONT></DIV>
<DIV><FONT face="Courier New" size=2>only the </FONT><FONT face="Courier New"
size=2>outcoming packets. The part of the filter string before "||" seems to
be ignored. </FONT></DIV>
<DIV><FONT face="Courier New" size=2>Is there anything wrong with this filter
string, and how can I </FONT><FONT face="Courier New" size=2>change it?
Thanks!</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>Zhiyuan</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>