[Winpcap-users] strange filtering issue

Eric Kollmann xnih13 at gmail.com
Mon May 5 21:51:59 UTC 2014

These are all in my program Satori and I honestly haven't looked at them in
years since they were working but I found that once you introduce "vlan"
into it trying to filter more broadly from a bpf filter didn't always work,
though looks like I still tried:

ARP - (arp) or (vlan and arp)
DHCP - udp dst port 67 or 68) or (vlan and (udp dst port 67 or 68))
IP - (ip) or (ipv6) or (vlan and (ip or ip6))
SNMP - (udp dst port 161) or (udp dst port 162) or (udp src port 161) or

plus many others on my different dlls for passive fingerprinting.

All of this to say, I used bpf as the broad sword to filter out some, then
internal I checked to see if it was vlan traffic and parsed it down from
there.  Playing with vlan traffic and bpf filters didn't seem to work well
7 years ago when I started playing with it in the 3.x days, never looked
much since then.

On Mon, May 5, 2014 at 3:16 PM, Jerry Riedel <riedel at codylabs.com> wrote:

> On May 5, 2014, at 12:38 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> > !host and !host and !port 161 or vlan and !host
> and !host and !port 161 - this string excludes
> both hosts and port 161 from packets with and without the vlan tag.
> >
> > Beyond confirming that using parentheses had an undesirable effect on
> the filter logic I did not do further testing to sort that one out.
> Yes, that's the issue.
> > Based on my testing, it does seem that this is a case where the Windows
> port differs from the *nix implementation of tcpdump.
> What testing have you don on *nix?  (Note that the the compiling a filter
> expression into BPF code is done in libpcap/WinPcap, not tcpdump, and the
> interpretation of the BPF code to do filtering is done either in built-in
> kernel code in *nix and WinPcap driver code on Windows or in
> libpcap/WinPcap if the kernel-mode code can't do it for some reason, so
> it's not a tcpdump issue.) _______________________________________________
> Other than using tcpdump (and snoop) back in the Solaris 5 days, I haven't
> really tested on *nix. What I meant was that the parentheses do not work in
> my winpcap/windump environment in the way they are said to work in the
> tcpdump documentation, based on my Windows based testing. If the
> parentheses do work as advertised in Linux that is great as I plan to move
> all of this off Windows and into Linux when I get some free time.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20140505/5b313171/attachment-0001.html>

More information about the Winpcap-users mailing list