[Winpcap-users] strange filtering issue

Guy Harris guy at alum.mit.edu
Fri May 2 20:26:21 UTC 2014


On May 2, 2014, at 12:46 PM, Jerry Riedel <riedel at codylabs.com> wrote:

>> So try
>> 
>> 	vlan and !host 192.168.10.2
>> 
>> (but it's odd that, when not saving to a file, you saw no VLAN packets to/from 192.168.10.2).
> 
> Ok, that worked - filtered out the packets to host 192.168.10.2 that have the VLAN header AND the packets from 192.168.10.2 that do not have the VLAN header. Am I understanding the logic of the filter correctly; putting VLAN first moves the parsing past the vlan header, if any,

Yes.

> and if there is no vlan header on a particular packet it is ignored?

No.  If there is no VLAN header on a particular packet, the filter "vlan" *rejects* the packet.

> Otherwise, I don't get how that particular filter expression would filter out both vlan tagged and non-tagged packets to/from that host.

It filters out *all* non-tagged packets, regardless of whether they're to or from that host or not (or even whether they're IP packets).

To filter out only packets to or from that host, and not filter out all non-tagged packets, do

	!host 192.168.10.2 or (vlan and !host 192.168.10.2)

> In light of this subsequent testing it also now struck me as odd that the filters would behave differently when not saving to a file so I went back and looked at a traffic histogram for that stream and found that it was not quite as steady as it had been other times, so it now appears likely that my testing occurred when that traffic stream had subsided.

Yes - the filtering mechanism works the same regardless of whether you're writing to a file or not, so it was probably a difference in the traffic.



More information about the Winpcap-users mailing list