[Winpcap-users] strange filtering issue
Guy Harris
guy at alum.mit.edu
Mon May 5 21:07:33 UTC 2014
On May 5, 2014, at 12:38 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> !host 192.168.10.2 and !host 192.168.0.3 and !port 161 or vlan and !host 192.168.10.2 and !host 192.168.0.3 and !port 161 - this string excludes both hosts and port 161 from packets with and without the vlan tag.
>
> Beyond confirming that using parentheses had an undesirable effect on the filter logic I did not do further testing to sort that one out.
Yes, that's the issue.
> Based on my testing, it does seem that this is a case where the Windows port differs from the *nix implementation of tcpdump.
What testing have you don on *nix? (Note that the the compiling a filter expression into BPF code is done in libpcap/WinPcap, not tcpdump, and the interpretation of the BPF code to do filtering is done either in built-in kernel code in *nix and WinPcap driver code on Windows or in libpcap/WinPcap if the kernel-mode code can't do it for some reason, so it's not a tcpdump issue.)
More information about the Winpcap-users
mailing list