[Winpcap-users] strange filtering issue
Jerry Riedel
riedel at codylabs.com
Mon May 5 19:38:05 UTC 2014
Just to close out on this issue, I now have it working in the way that I need with windump/winpcap 4.1.3, so in case anyone else needs to do this, here is a sample of what works for filtering packets to/from hosts or ports with and without vlan tags:
!host 192.168.10.2 and !host 192.168.0.3 and !port 161 or vlan and !host 192.168.10.2 and !host 192.168.0.3 and !port 161 - this string excludes both hosts and port 161 from packets with and without the vlan tag.
In other words, the key is that the vlan primitive should only appear once in the filter string *and* for each filtered item that may appear with/without a vlan tag, you have to have it both before and after the vlan primitive.
My objective in all of this was to exclude noise from a continuous capture of traffic to/from the firewall.
Beyond confirming that using parentheses had an undesirable effect on the filter logic I did not do further testing to sort that one out. Based on my testing, it does seem that this is a case where the Windows port differs from the *nix implementation of tcpdump.
More information about the Winpcap-users
mailing list