[Winpcap-users] strange filtering issue

[Jerry Riedel]

On May 1, 2014, at 3:38 PM, Jerry Riedel <riedel at codylabs.com> wrote:

> Yep. It looks like the issue may center around the question that Guy was asking about VLAN headers. I'm using Wireshark to view the capture file and it shows that the packets  to the filtered host that are ending up in the file are just the packets where dst = 192.168.10.2 (src = 192.168.10.2 are missing) and these have a VLAN1 header for some reason. Looks like something upstream is adding a VLAN tag that shouldn't be there and if I understand the reason for Guy's question, the issue is the offset from the VLAN header being prepended to the packet.

So try

	vlan and !host 192.168.10.2

(but it's odd that, when not saving to a file, you saw no VLAN packets to/from 192.168.10.2).
_______________________________________________

Ok, that worked - filtered out the packets to host 192.168.10.2 that have the VLAN header AND the packets from 192.168.10.2 that do not have the VLAN header. Am I understanding the logic of the filter correctly; putting VLAN first moves the parsing past the vlan header, if any, and if there is no vlan header on a particular packet it is ignored? Otherwise, I don't get how that particular filter expression would filter out both vlan tagged and non-tagged packets to/from that host.

In light of this subsequent testing it also now struck me as odd that the filters would behave differently when not saving to a file so I went back and looked at a traffic histogram for that stream and found that it was not quite as steady as it had been other times, so it now appears likely that my testing occurred when that traffic stream had subsided.