[Winpcap-users] V4.0A - filter syntax
Marcel van Lieshout
marcel at hmcs.nl
Tue May 30 08:09:41 GMT 2006
Hmm, I compared the compiled code and, indeed they are the same. Have to
look deeper, probably something in my own code.
Guy Harris wrote:
> On May 29, 2006, at 2:24 PM, Marcel van Lieshout wrote:
>> Two filters in V4.0A:
>> "(ether dst 01:02:03:04:05:06) or (ether broadcast)"
>> "ether dst 01:02:03:04:05:06 or ether broadcast"
>> Both compile succesfully, but only the second one gives the
>> expected result
> They compile to the same *filter code* with both top-of-tree libpcap
> CVS and libpcap 0.8.3 on Mac OS X, so, at least with those versions
> of libpcap, they'd have to give the exact same result.
> What do
> windump -d "(ether dst 01:02:03:04:05:06) or (ether broadcast)"
> windump -d "ether dst 01:02:03:04:05:06 or ether broadcast"
> print? If they print the same thing, then it's pure accident that
> the latter gave the expected result.
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
More information about the Winpcap-users