<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri","sans-serif";}
span.emailstyle17
{mso-style-name:emailstyle17;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org]
<b>On Behalf Of </b>Black, Mike (IS)<br>
<b>Sent:</b> Thursday, May 01, 2014 4:09 PM<br>
<b>To:</b> winpcap-users@winpcap.org<br>
<b>Subject:</b> Re: [Winpcap-users] strange filtering issue<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Are you sure you're looking at the correct output file?</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:#1F497D">> Yep. It looks like the issue may center around the question that Guy was asking about VLAN headers. I’m using Wireshark to view the capture file and it shows that the packets to
the filtered host that are ending up in the file are just the packets where dst = 192.168.10.2 (src = 192.168.10.2 are missing) and these have a VLAN1 header for some reason. Looks like something upstream is adding a VLAN tag that shouldn’t be there and if
I understand the reason for Guy’s question, the issue is the offset from the VLAN header being prepended to the packet. Jerry.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><br>
What you're describing works for me:<br>
<br>
I did this:<br>
windump -s 0 -C100 -w test -W 40 -i 2 host !192.168.1.1<br>
<br>
And did a ping and a web port request to it while running...<br>
<br>
Then I do this...note that the filename is test00<br>
windump -r test00 host 192.168.1.1<br>
reading from file test00, link-type EN10MB (Ethernet)<br>
<br>
And no packets are shown.<br>
<br>
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
<div>
<div>
<p><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Michael D. Black<br>
Senior Scientist<br>
Analytics, Production and Services<br>
Advanced GEOINT Systems<br>
Northrop Grumman Information Systems<o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black">
<hr size="2" width="100%" align="center">
</span></div>
<div id="divRpF254245">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">
<a href="mailto:winpcap-users-bounces@winpcap.org">winpcap-users-bounces@winpcap.org</a> [winpcap-users-bounces@winpcap.org] on behalf of Jerry Riedel [riedel@codylabs.com]<br>
<b>Sent:</b> Thursday, May 01, 2014 3:44 PM<br>
<b>To:</b> <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>
<b>Subject:</b> EXT :[Winpcap-users] strange filtering issue</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:black">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">I am trying to use filters in conjunction with saving the filtered packets to a file, using windump, but when I do, the filters seem to get ignored. Here is an example of what I am trying:
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">c:\windump -i 1 -s 0 -C 100 -w test -W 40 !host 192.168.10.2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">When I use this, there are still packets to/from that host in the capture file. On the other hand, if I use:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">windump -i 1 !host 192.168.10.2 <o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">…on the command line, I can see the packets to/from that host filtered out. To be clear, if I remove the ! from the command line, I see traffic to/from that host, if I add the ! back in, I don’t, and there is
a constant stream of traffic to/from this host.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">The documentation I have been able to find seems to indicate that this is legal and I don’t get any syntax errors. What am I missing?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Jerry
</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>