<div dir="ltr"><div>These are all in my program Satori and I honestly haven't looked at them in years since they were working but I found that once you introduce "vlan" into it trying to filter more broadly from a bpf filter didn't always work, though looks like I still tried:<br>
</div><div><br></div><div>ARP - (arp) or (vlan and arp)</div><div>DHCP - udp dst port 67 or 68) or (vlan and (udp dst port 67 or 68))</div><div>IP - (ip) or (ipv6) or (vlan and (ip or ip6))</div><div>SNMP - (udp dst port 161) or (udp dst port 162) or (udp src port 161) or (vlan)</div>
<div><br></div><div>plus many others on my different dlls for passive fingerprinting.</div><div><br></div><div>All of this to say, I used bpf as the broad sword to filter out some, then internal I checked to see if it was vlan traffic and parsed it down from there. Playing with vlan traffic and bpf filters didn't seem to work well 7 years ago when I started playing with it in the 3.x days, never looked much since then.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 5, 2014 at 3:16 PM, Jerry Riedel <span dir="ltr"><<a href="mailto:riedel@codylabs.com" target="_blank">riedel@codylabs.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>
<br>
On May 5, 2014, at 12:38 PM, Jerry Riedel <<a href="mailto:riedel@codylabs.com">riedel@codylabs.com</a>> wrote:<br>
<br>
> !host 192.168.10.2 and !host 192.168.0.3 and !port 161 or vlan and !host 192.168.10.2 and !host 192.168.0.3 and !port 161 - this string excludes both hosts and port 161 from packets with and without the vlan tag.<br>
<br>
><br>
> Beyond confirming that using parentheses had an undesirable effect on the filter logic I did not do further testing to sort that one out.<br>
<br>
Yes, that's the issue.<br>
<br>
> Based on my testing, it does seem that this is a case where the Windows port differs from the *nix implementation of tcpdump.<br>
<br>
What testing have you don on *nix? (Note that the the compiling a filter expression into BPF code is done in libpcap/WinPcap, not tcpdump, and the interpretation of the BPF code to do filtering is done either in built-in kernel code in *nix and WinPcap driver code on Windows or in libpcap/WinPcap if the kernel-mode code can't do it for some reason, so it's not a tcpdump issue.) _______________________________________________<br>
<br>
</div></div>Other than using tcpdump (and snoop) back in the Solaris 5 days, I haven't really tested on *nix. What I meant was that the parentheses do not work in my winpcap/windump environment in the way they are said to work in the tcpdump documentation, based on my Windows based testing. If the parentheses do work as advertised in Linux that is great as I plan to move all of this off Windows and into Linux when I get some free time.<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Winpcap-users mailing list<br>
<a href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><br>
<a href="https://www.winpcap.org/mailman/listinfo/winpcap-users" target="_blank">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><br>
</div></div></blockquote></div><br></div>