[Winpcap-users] Filter Problem
Guy Harris
guy at alum.mit.edu
Sun Nov 27 00:04:44 GMT 2005
Deston High wrote:
> is it possible to use a filter like this: "pppoe or ether or xxx and tcp
> and port 60000". should work, right?
Maybe. It depends on whether having *ALL* filters on Ethernet (or
perhaps other LANs) check for protocols running directly on Ethernet,
protocols running on PPPOE, and protocols running on VLANs on Ethernet
would increase CPU time spent doing packet filtering enough to make a
difference that matters - not everybody runs PPPoE or VLANs on their
LAN, so not everybody *needs* that.
If it would, you'd have to do something such as
(tcp and port 60000) or (pppoes and tcp and port 60000)
if you need that, so that
tcp and port 60000
doesn't do extra checks for PPPoE on LANs where you don't need that check.
> I capture on ethernet device (NIC) . so, for me it's definitive
> IP-over-PPP-over-Ethernet.
And a filter of "src host XXX.XXX.XXX.XXX" captured IP-over-PPPoE
traffic from that host (not IP-over-Ethernet traffic from that host)?
("I'm capturing on an Ethernet device" doesn't imply "it's definitely
IP-over-PPPoE" - a LAN can have both local Ethernet traffic and PPPoE
traffic on it, for example.)
More information about the Winpcap-users
mailing list