[Winpcap-users] strange filtering issue
Guy Harris
guy at alum.mit.edu
Mon May 5 21:46:39 UTC 2014
The underlying problem here is not a difference between libpcap 1.0.0 (which is, in effect, what you're using here, unless you're using an old version of WinPcap) and libpcap 1.1.1 (which is what comes with the OS on my machine, OS X Mountain Lion).
It's that, as there's no BPF mechanism for dealing cleanly with VLAN headers (BPF having been developed back in 1993 or so, and 802.1Q came out in 1998), VLANs require the explicit "vlan" keyword, so that, for example:
1) to test for a given IP address being *present* in packets with VLAN headers, you have to do "vlan and host XXX.XXX.XXX.XXX", and to test for it being present both with and without VLAN headers, you have to do "host XXX.XXX.XXX.XXX or (vlan and host XXX.XXX.XXX.XXX)";
2) to *exclude* IP packets in which a given IP address is present, you need to do
!(host XXX.XXX.XXX.XXX or (vlan and host XXX.XXX.XXX.XXX))
so the correct filter for your simple case is
!(host 192.168.10.2 or (vlan and host 192.168.10.2))
and the correct filter for your more-complex case is
!(host 192.168.10.2 or host 192.168.0.3 or port 161 or (vlan and (host 192.168.10.2 or host 192.168.0.3 or port 161)))
(some parentheses may be redundant).
More information about the Winpcap-users
mailing list