[Winpcap-users] strange filtering issue
riedel at codylabs.com
Fri May 2 19:46:10 UTC 2014
On May 1, 2014, at 3:38 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> Yep. It looks like the issue may center around the question that Guy was asking about VLAN headers. I'm using Wireshark to view the capture file and it shows that the packets to the filtered host that are ending up in the file are just the packets where dst = 192.168.10.2 (src = 192.168.10.2 are missing) and these have a VLAN1 header for some reason. Looks like something upstream is adding a VLAN tag that shouldn't be there and if I understand the reason for Guy's question, the issue is the offset from the VLAN header being prepended to the packet.
vlan and !host 192.168.10.2
(but it's odd that, when not saving to a file, you saw no VLAN packets to/from 192.168.10.2).
Ok, that worked - filtered out the packets to host 192.168.10.2 that have the VLAN header AND the packets from 192.168.10.2 that do not have the VLAN header. Am I understanding the logic of the filter correctly; putting VLAN first moves the parsing past the vlan header, if any, and if there is no vlan header on a particular packet it is ignored? Otherwise, I don't get how that particular filter expression would filter out both vlan tagged and non-tagged packets to/from that host.
In light of this subsequent testing it also now struck me as odd that the filters would behave differently when not saving to a file so I went back and looked at a traffic histogram for that stream and found that it was not quite as steady as it had been other times, so it now appears likely that my testing occurred when that traffic stream had subsided.
More information about the Winpcap-users