[Winpcap-users] strange filtering issue
Guy Harris
guy at alum.mit.edu
Mon May 5 20:54:24 UTC 2014
On May 2, 2014, at 3:04 PM, Jerry Riedel <riedel at codylabs.com> wrote:
>> To filter out only packets to or from that host, and not filter out all non-tagged packets, do
>>
>> !host 192.168.10.2 or (vlan and !host 192.168.10.2)
>
> that does _not_ work - still get the packets that have the vlan header.
Sorry - that one succeeds if either
1) the packet does not have Ethernet followed immediately by IPv4 or it does but the IPv4 source or destination address is not 192.168.10.2 (well, there's also an ARP check in there, but we'll ignore that for now);
2) the packet has Ethernet followed immediately by VLAN but it's not Ethernet followed immediately by VLAN followed immediately by IPv4 or it is but the IPv4 source or destination address is not 192.168.10.2 (well, there's also an ARP check in there, but we'll ignore that for now);
"The packet has Ethernet followed immediately by VLAN" implies "the packet does not have Ethernet followed immediately by IPv4", so it matches all VLAN packets.
More information about the Winpcap-users
mailing list