[Winpcap-users] strange filtering issue
riedel at codylabs.com
Mon May 5 21:16:07 UTC 2014
On May 5, 2014, at 12:38 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> !host 192.168.10.2 and !host 192.168.0.3 and !port 161 or vlan and !host 192.168.10.2 and !host 192.168.0.3 and !port 161 - this string excludes both hosts and port 161 from packets with and without the vlan tag.
> Beyond confirming that using parentheses had an undesirable effect on the filter logic I did not do further testing to sort that one out.
Yes, that's the issue.
> Based on my testing, it does seem that this is a case where the Windows port differs from the *nix implementation of tcpdump.
What testing have you don on *nix? (Note that the the compiling a filter expression into BPF code is done in libpcap/WinPcap, not tcpdump, and the interpretation of the BPF code to do filtering is done either in built-in kernel code in *nix and WinPcap driver code on Windows or in libpcap/WinPcap if the kernel-mode code can't do it for some reason, so it's not a tcpdump issue.) _______________________________________________
Other than using tcpdump (and snoop) back in the Solaris 5 days, I haven't really tested on *nix. What I meant was that the parentheses do not work in my winpcap/windump environment in the way they are said to work in the tcpdump documentation, based on my Windows based testing. If the parentheses do work as advertised in Linux that is great as I plan to move all of this off Windows and into Linux when I get some free time.
More information about the Winpcap-users