[Winpcap-users] Filter Problem

[Deston High]

Guy Harris wrote:

> Deston High wrote:
>
>> is it possible to use a filter like this: "pppoe or ether or xxx and 
>> tcp and port 60000". should work, right?
>
>
> Maybe.  It depends on whether having *ALL* filters on Ethernet (or 
> perhaps other LANs) check for protocols running directly on Ethernet, 
> protocols running on PPPOE, and protocols running on VLANs on Ethernet 
> would increase CPU time spent doing packet filtering enough to make a 
> difference that matters - not everybody runs PPPoE or VLANs on their 
> LAN, so not everybody *needs* that.
>
> If it would, you'd have to do something such as
>
>     (tcp and port 60000) or (pppoes and tcp and port 60000)
>
> if you need that, so that
>
>     tcp and port 60000
>
> doesn't do extra checks for PPPoE on LANs where you don't need that 
> check.

thx for that advise!
its just one packet to process... so i don't care about cpu usage here.

>> I capture on ethernet device (NIC) . so, for me it's definitive 
>> IP-over-PPP-over-Ethernet.
>
>
> And a filter of "src host XXX.XXX.XXX.XXX" captured IP-over-PPPoE 
> traffic from that host (not IP-over-Ethernet traffic from that host)?

definitiv IP-over-PPPoE, thats why i post here. it's very strange... 
looks like i only can't touch the tcp header but ip header seems ok. 
from what i have posted before: "not dst host XXX.XXX.XXX.XXX" where 
XXX..... is my internet IP, works on IP-over-PPPoE!
i used this to make sure i only capture data where "dst host is not my 
ip", or in other words "src host is my ip".

i will try that again and reply here.

thx for your help!

> ("I'm capturing on an Ethernet device" doesn't imply "it's definitely 
> IP-over-PPPoE" - a LAN can have both local Ethernet traffic and PPPoE 
> traffic on it, for example.)
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>