[Winpcap-users] V4.0A - filter syntax

Marcel van Lieshout marcel at hmcs.nl
Tue May 30 08:09:41 GMT 2006


Hmm, I compared the compiled code and, indeed they are the same. Have to 
look deeper, probably something in my own code.

Sorry..

Marcel

Guy Harris wrote:
> On May 29, 2006, at 2:24 PM, Marcel van Lieshout wrote:
>
>> Two filters in V4.0A:
>>
>> "(ether dst 01:02:03:04:05:06) or (ether broadcast)"
>> "ether dst 01:02:03:04:05:06 or ether broadcast"
>> Both compile succesfully, but only the second one gives the
>> expected result
>
> They compile to the same *filter code* with both top-of-tree libpcap
> CVS and libpcap 0.8.3 on Mac OS X, so, at least with those versions
> of libpcap, they'd have to give the exact same result.
>
> What do
>
> windump -d "(ether dst 01:02:03:04:05:06) or (ether broadcast)"
>
> windump -d "ether dst 01:02:03:04:05:06 or ether broadcast"
>
> print?  If they print the same thing, then it's pure accident that
> the latter gave the expected result.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users 



More information about the Winpcap-users mailing list