[Winpcap-users] Filtering Expression fails
john mcnicholas
jomcn1 at gmail.com
Fri Jan 25 23:00:19 GMT 2008
>
> I'm new to this winpcap library.
> Currently i'm using winpcap 4.0.1 in my VC++ compiler.
> I have to filter the TCP packets holding the SYN flag.
>
>
> Whenever i tried using the filter string "tcp[13] & 0x02 != 0", it just
> hanging in pcap_next_ex() function.Still its waiting for the packets to
> come.
> But i'm getting the SYN packets in my ethereal running at the same time.
> Also i tried, "tcp[tcpflags] & tcp-syn != 0" and "tcp port 8080 and
> tcp-syn". None of them works.
> I didn't get any error message while compiling and setting the filter.
>
> But Its works fine with the filter strings "tcp" and "tcp port 8080".
>
> Is this the correct expression what i'm looking for?
> That will be great for me if anybody help me regarding this.
>
Briefly:
- the first two filter expressions worked for me, although I only tried on a
trace file but that shouldn't matter.
(pcap version = 4.0.0.1040)
- after examining the bpf program code, they probably won't work if you are
running on a vlan.
(or perhaps a number of other network types)
- sug: try testing your filter with a trace file first. grab one from
wireshark.org if necessary.
(Note: the protocol stack that worked for me was the simple ETH:IP:TCP )
good luck.
john
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080125/8fc131fb/attachment.htm
More information about the Winpcap-users
mailing list