[Winpcap-users] strange filtering issue
xnih13 at gmail.com
Mon May 5 21:51:59 UTC 2014
These are all in my program Satori and I honestly haven't looked at them in
years since they were working but I found that once you introduce "vlan"
into it trying to filter more broadly from a bpf filter didn't always work,
though looks like I still tried:
ARP - (arp) or (vlan and arp)
DHCP - udp dst port 67 or 68) or (vlan and (udp dst port 67 or 68))
IP - (ip) or (ipv6) or (vlan and (ip or ip6))
SNMP - (udp dst port 161) or (udp dst port 162) or (udp src port 161) or
plus many others on my different dlls for passive fingerprinting.
All of this to say, I used bpf as the broad sword to filter out some, then
internal I checked to see if it was vlan traffic and parsed it down from
there. Playing with vlan traffic and bpf filters didn't seem to work well
7 years ago when I started playing with it in the 3.x days, never looked
much since then.
On Mon, May 5, 2014 at 3:16 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> On May 5, 2014, at 12:38 PM, Jerry Riedel <riedel at codylabs.com> wrote:
> > !host 192.168.10.2 and !host 192.168.0.3 and !port 161 or vlan and !host
> 192.168.10.2 and !host 192.168.0.3 and !port 161 - this string excludes
> both hosts and port 161 from packets with and without the vlan tag.
> > Beyond confirming that using parentheses had an undesirable effect on
> the filter logic I did not do further testing to sort that one out.
> Yes, that's the issue.
> > Based on my testing, it does seem that this is a case where the Windows
> port differs from the *nix implementation of tcpdump.
> What testing have you don on *nix? (Note that the the compiling a filter
> expression into BPF code is done in libpcap/WinPcap, not tcpdump, and the
> interpretation of the BPF code to do filtering is done either in built-in
> kernel code in *nix and WinPcap driver code on Windows or in
> libpcap/WinPcap if the kernel-mode code can't do it for some reason, so
> it's not a tcpdump issue.) _______________________________________________
> Other than using tcpdump (and snoop) back in the Solaris 5 days, I haven't
> really tested on *nix. What I meant was that the parentheses do not work in
> my winpcap/windump environment in the way they are said to work in the
> tcpdump documentation, based on my Windows based testing. If the
> parentheses do work as advertised in Linux that is great as I plan to move
> all of this off Windows and into Linux when I get some free time.
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Winpcap-users