[Winpcap-users] strange filtering issue

Jerry Riedel riedel at codylabs.com
Thu May 1 22:38:22 UTC 2014


From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Black, Mike (IS)
Sent: Thursday, May 01, 2014 4:09 PM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] strange filtering issue

Are you sure you're looking at the correct output file?
> Yep. It looks like the issue may center around the question that Guy was asking about VLAN headers. I'm using Wireshark to view the capture file and it shows that the packets  to the filtered host that are ending up in the file are just the packets where dst = 192.168.10.2 (src = 192.168.10.2 are missing) and these have a VLAN1 header for some reason. Looks like something upstream is adding a VLAN tag that shouldn't be there and if I understand the reason for Guy's question, the issue is the offset from the VLAN header being prepended to the packet. Jerry.

What you're describing works for me:

I did this:
windump -s 0 -C100 -w test -W 40 -i 2 host !192.168.1.1

And did a ping and a web port request to it while running...

Then I do this...note that the filename is test00
windump -r test00 host 192.168.1.1
reading from file test00, link-type EN10MB (Ethernet)

And no packets are shown.



Michael D. Black
Senior Scientist
Analytics, Production and Services
Advanced GEOINT Systems
Northrop Grumman Information Systems

________________________________
From: winpcap-users-bounces at winpcap.org<mailto:winpcap-users-bounces at winpcap.org> [winpcap-users-bounces at winpcap.org] on behalf of Jerry Riedel [riedel at codylabs.com]
Sent: Thursday, May 01, 2014 3:44 PM
To: winpcap-users at winpcap.org<mailto:winpcap-users at winpcap.org>
Subject: EXT :[Winpcap-users] strange filtering issue
Hello,

I am trying to use filters in conjunction with saving the filtered packets to a file, using windump, but when I do, the filters seem to get ignored. Here is an example of what I am trying:

c:\windump -i 1 -s 0 -C 100 -w test -W 40 !host 192.168.10.2

When I use this, there are still packets to/from that host in the capture file. On the other hand, if I use:

windump -i 1 !host 192.168.10.2

...on the command line, I can see the packets to/from that host filtered out. To be clear, if I  remove the ! from the command line, I see traffic to/from that host, if I add the ! back in, I don't, and there is a constant stream of traffic to/from this host.

The documentation I have been able to find seems to indicate that this is legal and I don't get any syntax errors. What am I missing?

Thanks,

Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20140501/3930f30c/attachment-0001.html>


More information about the Winpcap-users mailing list